webhook does not support the use of intermediate certificates #510
Comments
mcb30
added a commit
to mcb30/puppet-r10k
that referenced
this issue
Mar 28, 2020
The webhook service is currently limited to using a certificate directly issued by a trusted CA; it will silently ignore any intermediate certificates that are present in the certificate file. The currently released versions of the Ruby OpenSSL libraries do not provide any clean way to load a certificate chain from a file. We therefore split the file using the BEGIN/END markers as per RFC 7468, and construct the certificate chain directly. No tests are extended to cover this enhancement, since there is no existing test coverage for the use of HTTPS certificates by the webhook. All current tests use plain HTTP via http://localhost:8088. Fixes voxpupuli#510 Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
mcb30
added a commit
to mcb30/puppet-r10k
that referenced
this issue
Mar 29, 2020
The webhook service is currently limited to using a certificate directly issued by a trusted CA; it will silently ignore any intermediate certificates that are present in the certificate file. The currently released versions of the Ruby OpenSSL libraries do not provide any clean way to load a certificate chain from a file. We therefore split the file using the BEGIN/END markers as per RFC 7468, and construct the certificate chain directly. No tests are extended to cover this enhancement, since there is no existing test coverage for the use of HTTPS certificates by the webhook. All current tests use plain HTTP via http://localhost:8088. Fixes voxpupuli#510 Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
mcb30
added a commit
to mcb30/puppet-r10k
that referenced
this issue
Mar 29, 2020
The webhook service is currently limited to using a certificate directly issued by a trusted CA; it will silently ignore any intermediate certificates that are present in the certificate file. The currently released versions of the Ruby OpenSSL libraries do not provide any clean way to load a certificate chain from a file. We therefore split the file using the BEGIN/END markers as per RFC 7468, and construct the certificate chain directly. No tests are extended to cover this enhancement, since there is no existing test coverage for the use of HTTPS certificates by the webhook. All current tests use plain HTTP via http://localhost:8088. Fixes voxpupuli#510 Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
mcb30
added a commit
to mcb30/puppet-r10k
that referenced
this issue
Mar 30, 2020
The webhook service is currently limited to using a certificate directly issued by a trusted CA; it will silently ignore any intermediate certificates that are present in the certificate file. The currently released versions of the Ruby OpenSSL libraries do not provide any clean way to load a certificate chain from a file. We therefore split the file using the BEGIN/END markers as per RFC 7468, and construct the certificate chain directly. No tests are extended to cover this enhancement, since there is no existing test coverage for the use of HTTPS certificates by the webhook. All current tests use plain HTTP via http://localhost:8088. Fixes voxpupuli#510 Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
mcb30
added a commit
to mcb30/puppet-r10k
that referenced
this issue
Mar 30, 2020
The webhook service is currently limited to using a certificate directly issued by a trusted CA; it will silently ignore any intermediate certificates that are present in the certificate file. The currently released versions of the Ruby OpenSSL libraries do not provide any clean way to load a certificate chain from a file. We therefore split the file using the BEGIN/END markers as per RFC 7468, and construct the certificate chain directly. No tests are extended to cover this enhancement, since there is no existing test coverage for the use of HTTPS certificates by the webhook. All current tests use plain HTTP via http://localhost:8088. Fixes voxpupuli#510 Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected Puppet, Ruby, OS and module versions/distributions
All versions
How to reproduce (e.g Puppet code you use)
Attempt to use any webhook server certificate that requires the use of an intermediate certificate. For example, using a certificate for the machine's FQDN issued by LetsEncrypt:
What are you seeing
Connections to the webhook fail TLS verification because the intermediate certificate is missing. For example:
What behaviour did you expect instead
Connections to the webhook should succeed. This requires the webhook to present the intermediate certificate(s) along with its own certificate.
Any additional information you'd like to impart
A pull request to fix this issue is ready and will be submitted shortly.
The text was updated successfully, but these errors were encountered: