Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Download fails when host cert is signed by private CA #400

Open
BrianSipos opened this issue Feb 6, 2020 · 3 comments
Open

Download fails when host cert is signed by private CA #400

BrianSipos opened this issue Feb 6, 2020 · 3 comments

Comments

@BrianSipos
Copy link

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.3.10
  • Ruby: 2.0.0.648
  • Distribution: CentOS 7
  • Module version: 4.4.0

How to reproduce (e.g Puppet code you use)

Use an archive resource with a "source" URL of a host with HTTPS certificate signed through a private CA chain.
The operating system (Windows 10) has the private root and and intermediate CAs trusted at the operating system level.

What are you seeing

The pupet agent gives an error about not being able to validate the host certificate.

What behaviour did you expect instead

The puppet agent should use the OS-level CA trust to validate the host cert.

@BrianSipos
Copy link
Author

A workaround is to set "allow_insecure => true" but this defeats the authentication of TLS.

@Mystakill
Copy link

"allow_insecure => true" also doesn't work when the endpoint being connected to is enforcing SSL/TLS for requestor authentication & enforcing permissions. That makes this a non-starter for us, as all of the hosts in our enterprise do this. We need a way to specify the certificate & key .pem files, and either (preferably) a capath containing all of the certificate authority certs, or a cacert file contain all of the authority certs combined.

@kenyon
Copy link
Member

kenyon commented Nov 26, 2024

See also: #188

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants