I think certificate handling is a valid critique of puppet's security implementation. Running a public key infrastructure of any sort is difficult. Things like expired CAs and a lack of intermediate signing CAs does expose puppet administrators who are lacking those fairly rare skill sets to some difficult potential issues. I don't want to run a CA, mostly because I've had to run one before. Many people would also like to extend the expiration to more than 5 years, but don't find out about this issue until 4.5 years in. Whoops :)
It's just that the fix isn't agents automatically accepting new CAs. In the example given of bringing a new CA online, the issue isn't that the client would be missing a copy of the original CA signatures, but that there's no way to verify the new CA is related to the old CA. This constitutes a pretty high security risk with a decent probability for exploitation - and not just by external parties, it would be easy to DoS your agents during a failed migration or by testing with vagrant or additional VMs by forgetting to change DNS/IPs or a dozen other simple things to miss. Any improvement here probably ends up being relatively complex to ensure risks remain low. It would be much more reasonable to have an extremely long lived CA and some intermediate CAs. This is supported by puppet, but only I believe with an external CA setup ( https://docs.puppet.com/puppet/latest/config_ssl_external_ca.html) - again, not something most of us should probably be doing. I don't know that there's a great way to handle this for the masses, unless Puppet wants to become a CA and sign intermediates for us ;) On Mon, Jan 9, 2017 at 7:18 PM John Gelnaw <jgel...@gmail.com> wrote: > since the agent has, in theory, a valid copy of the original CA which it > can use to validate the connection. > -- Rob Nelson -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT_2XN3vaZKrpzsrXOzkT%2B4_3P82ZZWkipigm8%3D%3DXew9ZA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
