Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] TLS certificate can't be created if the directory for private key is specified #185

Open
vasilevalex opened this issue May 3, 2024 · 0 comments · May be fixed by #186
Open

[Bug] TLS certificate can't be created if the directory for private key is specified #185

vasilevalex opened this issue May 3, 2024 · 0 comments · May be fixed by #186
Labels
bug Something isn't working

Comments

@vasilevalex
Copy link

vasilevalex commented May 3, 2024
edited by kenyon

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.28.0
  • Ruby: 2.7.8
  • Distribution: Rocky Linux 8.9
  • Module version: 3.1.0

How to reproduce (e.g Puppet code you use)

Try to create self-signed certificate with parameter key_dir, for example:

openssl::certificate::x509 { $facts[networking][fqdn]:
    country      => 'DK',
    state        => 'Denmark',
    locality     => 'Test',
    commonname   => $facts[networking][fqdn],
    organization => 'company A/S',
    unit         => 'test',
    email        => 'admin@test.dk',
    days         => 3650,
    base_dir     => '/etc/ssl/certs',
    key_dir      => '/etc/ssl/private',
    force        => false,
    encrypted    => false,
  }

What are you seeing

X509_cert is trying to use default key from the same directory with the request and certificate (/etc/ssl/certs). The key is generated in correct directory (/etc/ssl/private)

What behaviour did you expect instead

X509_cert must use the signing key from the parameter key_dir (/etc/ssl/private)

Output log

Notice: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/Openssl::Config[/etc/ssl/certs//host.test.dk.cnf]/File[/etc/ssl/certs//host.test.dk.cnf]/content: content changed '{sha256}8447bb6632d45d40a3eaaceca9aa4cb6adf9aa98998dd463dc65d871b7db6b16' to '{sha256}dee758d609833006021578ebcf715e888c964d1ff047674445be789bc98ebae0'
Info: Openssl::Config[/etc/ssl/certs//host.test.dk.cnf]: Scheduling refresh of X509_request[/etc/ssl/certs//host.test.dk.csr]
Notice: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_request[/etc/ssl/certs//host.test.dk.csr]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_request[/etc/ssl/certs//host.test.dk.csr]: Scheduling refresh of X509_cert[/etc/ssl/certs//host.test.dk.crt]
Error: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_cert[/etc/ssl/certs//host.test.dk.crt]: Could not evaluate: No such file or directory @ rb_sysopen - /etc/ssl/certs/host.test.dk.key
Error: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_cert[/etc/ssl/certs//host.test.dk.crt]: Failed to call refresh: Execution of '/bin/openssl x509 -req -days 3650 -in /etc/ssl/certs//host.test.dk.csr -out /etc/ssl/certs//host.test.dk.crt -signkey /etc/ssl/certs/host.test.dk.key -extensions v3_req' returned 1: Signature ok
subject=/C=DK/ST=Denmark/L=Test/O=company A/S/OU=test/CN=host.test.dk/emailAddress=admin@test.dk
Getting Private key
Error opening Private key /etc/ssl/certs/host.test.dk.key
139684502910864:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/ssl/certs/host.test.dk.key','r')
139684502910864:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private key
unable to write 'random state'
Error: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/X509_cert[/etc/ssl/certs//host.test.dk.crt]: Execution of '/bin/openssl x509 -req -days 3650 -in /etc/ssl/certs//host.test.dk.csr -out /etc/ssl/certs//host.test.dk.crt -signkey /etc/ssl/certs/host.test.dk.key -extensions v3_req' returned 1: Signature ok
subject=/C=DK/ST=Denmark/L=Test/O=company A/S/OU=test/CN=host.test.dk/emailAddress=admin@test.dk
Getting Private key
Error opening Private key /etc/ssl/certs/host.test.dk.key
139684502910864:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/ssl/certs/host.test.dk.key','r')
139684502910864:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private key
unable to write 'random state'
Notice: /Stage[main]/Profile::Test::Tls_certs/Openssl::Certificate::X509[host.test.dk]/File[/etc/ssl/certs//host.test.dk.crt]: Dependency X509_cert[/etc/ssl/certs//host.test.dk.crt] has failures: true

Any additional information you'd like to impart

Commit a8a98cf broke the behavior.
vasilevalex added a commit to vasilevalex/puppet-openssl that referenced this issue May 3, 2024
@vasilevalex
Use private_key parameter when creating certificate
1f19467 
Fixes voxpupuli#185
@vasilevalex vasilevalex linked a pull request May 3, 2024 that will close this issue
Open
@kenyon kenyon added the bug Something isn't working label May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use private_key parameter when creating certificate vasilevalex/puppet-openssl
2 participants
@kenyon @vasilevalex