[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T158757

Puppet certificate missing subjectAltName
Open, MediumPublic
Actions

Description

The generated Puppet certificates are missing the subjectAltName, required by RFC 2818 when they are used as certificates for HTTPS traffic, like for example for PuppetDB API on nitrogen.

Recent libraries like Python urllib3 throws a deprecation warning if the certificate does not have the subjectAltName and will remove support for looking the CN instead in future releases.

/usr/lib/python2.7/dist-packages/urllib3/connection.py:337: SubjectAltNameWarning: Certificate for nitrogen.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning

We should consider adding the subjectAltName with Puppet option dns_alt_names or use different certificates, see also T150822.

Details

SubjectRepoBranchLines +/-
cumin: remove disable warning for urllib3operations/puppetproduction+0 -4
utils: add create_ecdsa_certoperations/puppetproduction+35 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Volans created this task.Feb 22 2017, 12:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 22 2017, 12:37 PM
Volans mentioned this in T150822: Internal PKI for secure communication - Barcelona Ops offsite 2016.Feb 22 2017, 12:38 PM
Volans mentioned this in T158758: Cumin: ignore urllib3 SubjectAltNameWarning in PuppetDB calls.
Volans mentioned this in T156232: confctl SubjectAltNameWarning after python-urllib3 upgrade.Feb 22 2017, 12:52 PM
ema triaged this task as Medium priority.Mar 1 2017, 9:50 AM
Peachey88 added a project: Puppet.Mar 1 2017, 10:51 AM
gerritbot subscribed.Mar 22 2017, 12:56 PM

Change 340107 had a related patch set uploaded (by Volans; owner: Giuseppe Lavagetto):
[operations/puppet] utils: add create_ecdsa_cert

https://gerrit.wikimedia.org/r/340107

gerritbot added a project: Patch-For-Review.Mar 22 2017, 12:56 PM
gerritbot added a comment.Mar 28 2017, 10:07 AM

Change 340107 merged by Giuseppe Lavagetto:
[operations/puppet@production] utils: add create_ecdsa_cert

https://gerrit.wikimedia.org/r/340107

fgiunchedi subscribed.Jul 19 2017, 1:04 PM

Looks like this is still the case for certs issued by puppet CA, the dns_alt_names lists steps to turn this on though https://docs.puppet.com/puppet/latest/configuration.html#dnsaltnames

fgiunchedi added a comment.Jul 20 2017, 8:19 AM

The create_ecdsa_cert script was patched already, though our puppet server doesn't use dns_alt_names. I think it'd be ok in this case to just regenerate the service certificate and leave the puppet cert alone. @Volans @Joe ?

Krenair subscribed.Jun 2 2018, 10:43 PM
gerritbot added a comment.Jul 19 2018, 11:14 AM

Change 446789 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] cumin: remove disable warning for urllib3

https://gerrit.wikimedia.org/r/446789

gerritbot added a comment.Jul 19 2018, 11:16 AM

Change 446789 merged by Volans:
[operations/puppet@production] cumin: remove disable warning for urllib3

https://gerrit.wikimedia.org/r/446789

Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:05 PM
elukey subscribed.Feb 8 2021, 3:16 PM
elukey mentioned this in T273642: Add analytics-presto.eqiad.wmnet CNAME for Presto coordinator failover.Feb 8 2021, 3:19 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 9:00 PM
jbond subscribed.Jul 20 2021, 2:40 PM
jbond edited projects, added Puppet-Core; removed Puppet.Jun 12 2023, 4:25 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 12 2023, 4:30 PM
nshahquinn-wmf mentioned this in T345309: Wmfdata's presto.run fails with Urllib3 v2 or higher.Aug 31 2023, 1:06 AM
nshahquinn-wmf subscribed.Aug 31 2023, 1:25 AM

FYI, Urllib3 version 2, released in April 2023, removed the fallback from serverAltName to commonName, so it will not be able to connect to internal servers.

This has already started to be a problem (T345309, for example) and will only increase over time as more systems and packages pull in the newer version. It's theoretically possible to restore the old behavior via configuration, but this might be difficult to do through layers of dependencies.

So the sooner we actually fix this, the better 😁

jbond added a comment.Aug 31 2023, 9:00 AM
In T158757#9132594, @nshahquinn-wmf wrote:

FYI, Urllib3 version 2, released in April 2023, removed the fallback from serverAltName to commonName, so it will not be able to connect to internal servers.

This has already started to be a problem (T345309, for example) and will only increase over time as more systems and packages pull in the newer version. It's theoretically possible to restore the old behaviour via configuration, but this might be difficult to do through layers of dependencies.

So the sooner we actually fix this, the better 😁

Its worth noting that once services have been migrated to the new puppet7 infrastructure then agent certificates will have a correct SAN entry. however the correct fix for this is to migrate any services relying on the puppet agent certificates for TLS to use the pki infrastructure.

nshahquinn-wmf added a comment.Aug 31 2023, 9:02 PM
In T158757#9133055, @jbond wrote:

Its worth noting that once services have been migrated to the new puppet7 infrastructure then agent certificates will have a correct SAN entry.

Thank you, good to know!

however the correct fix for this is to migrate any services relying on the puppet agent certificates for TLS to use the pki infrastructure.

Could you help me understand what this would look like for us? I've looked at the PKI docs on Wikitech but am still pretty confused.

We have a Python package that uses the Presto Python client to connect the analytics Presto server, and that ultimately relies on Urllib3. There is also Kerberos authentication involved, but I think it's not the source of the problem. You can see the code at https://github.com/wikimedia/wmfdata-python/blob/main/wmfdata/presto.py#L34.

jbond added a subscriber: BTullis.EditedSep 1 2023, 11:16 AM
In T158757#9135499, @nshahquinn-wmf wrote:

however the correct fix for this is to migrate any services relying on the puppet agent certificates for TLS to use the pki infrastructure.

Could you help me understand what this would look like for us? I've looked at the PKI docs on Wikitech but am still pretty confused.

This is something that will need fixing on the server side, the good news is it seems @BTullis has already started work on this as part of T273642 and i can see that an-test-presto1001.eqiad.wmnet has already been updated to use the new pki infrastructure so you should already be able to test against that. Id recommend reaching out to ben to get an update on when this might make it to production.

Volans closed subtask T354415: [cumin] urllib >= 2 fails to disable warning SubjectAltNameWarning as exception is not there anymore as Resolved.Jan 9 2024, 10:44 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits