puppetlabs / puppetlabs-java_ks Goto Github PK
View Code? Open in Web Editor NEWUses a combination of keytool and openssl to manage entries in a Java keystore
License: Apache License 2.0
Uses a combination of keytool and openssl to manage entries in a Java keystore
License: Apache License 2.0
When obtaining the array of fingerprints from a pkcs12 keystore, the list includes multiple certificates' fingerprints - each of the CAs in the chain is also in the fingerprint array returned. When this is compared to the "latest" in the insync function, the current is a large list of fingerprints which will never match the fingerprint being matched as latest.
This behavior of printing the corresponding CA certs seems to be for at least pkcs12 formatted keystores on java 17. We have multiple java 17 instances where there is an existing JKS keystore where the listing of the CA certs doesn't happen. This also only happens on a "leaf" cert.
Certificate is repeatedly deleted then re-imported as the comparison is the reverse of what it should be. Here is what happens when we print the fingerprint values being compared by the insync method:
Info: current has value:'["14:5A:5E:B0:18:E1:00:C3:C0:25:DD:32:91:3D:04:BE:E2:21:B0:A2:B3:23:92:CB:CF:AF:10:8D:7A:01:80:68", "25:CD:2D:9A:12:96:F9:3E:05:A6:0A:A3:62:B9:31:59:6A:83:43:8F:91:A6:47:25:C1:1A:3E:84:A4:C5:CD:D5", "2E:E8:86:28:AD:4D:71:87:19:34:CB:2C:EE:C4:F6:70:19:C7:78:B7", "8E:A0:FF:5D:3B:24:12:F7:D1:C5:E8:23:63:E0:E2:96:83:8E:7F:F6", "B8:B2:CE:01:17:65:78:9F:8E:8B:BC:CF:7C:22:35:BF:9D:37:D2:2F:7B:92:3E:8E:57:FA:24:EC:2B:A1:F3:4C", "BA:05:B0:A6:89:B8:2D:D6:7B:6E:6B:60:2B:1E:4A:9E:75:28:0F:4B"]'
Info: latest has value:'["14:5A:5E:B0:18:E1:00:C3:C0:25:DD:32:91:3D:04:BE:E2:21:B0:A2:B3:23:92:CB:CF:AF:10:8D:7A:01:80:68", "BA:05:B0:A6:89:B8:2D:D6:7B:6E:6B:60:2B:1E:4A:9E:75:28:0F:4B"]'
Steps to reproduce the behavior:
When using the puppet-openssl and puppetlabs-java_ks modules the passwords for the private key and the Java keystore files cannot be different. If they are different, it results in an error message invalid curve name error
The curve name is valid and the code works when both passwords are the same. The error message is elusive to what the issue is.
Install the puppet-openssl and puppetlabs-java_ks modules.
x509_cert { certificate:
...
password => $private_key_pw,
...
}
java_ks { keystore_location:
...
password => $keystore_pw,
...
}
When running puppet the error occurs on the line for the java_ks resource
Error: Could not set 'latest' on ensure: invalid curve name
Wrapped exception:
invalid curve name
I have a production problem with java_ks, when "target" parameter is constants:
target => '/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts'
but when Java 1.7 was updated I need changed puppet manifest to:
target => '/usr/lib/jvm/java-7-oracle-25/jre/lib/security/cacerts'
It is not solution and I need autodiscovering JAVA HOME and concating with "/jre/lib/security/cacerts" internal in "java_ks" extension.
Problem with $JAVA_HOME - it is not right way to discovering "java".
Extract JAVA path example:
$ update-alternatives --get-selections | grep "java\s" | awk '{FS=" ";print $3}' | sed 's/jre\/bin\/java//g'
/usr/lib/jvm/java-7-oracle/
$ update-alternatives --get-selections | grep "java\s" | awk '{FS=" ";print $3}' | sed 's/jre\/bin\/java//g'
/usr/lib/jvm/java-7-oracle-25/bin/java
What do you think about auto discovering java path in this puppet extension in Ubuntu ?
Observe random errors in java_ks provider in PE2021.7.2 (puppet 7) environment, Amsazon Linux 2 agent, RHEL8 server
change from 'present' to 'latest' failed: Execution of 'keytool -v -printcert -file /tmp/certificate20230313-11787-1fogisx' returned 1: keytool error: java.io.FileNotFoundException: /tmp/certificate20230313-11787-1fogisx (No such file or directory)
java.io.FileNotFoundException: /tmp/certificate20230313-11787-1fogisx (No such file or directory)
The temp file is created by provider itself, so there seems to be some race condition
java_ks { "sat.example.com:${cacerts}":
ensure => 'latest',
certificate_content => file("${module_name}/sat.example.com.pem"),
password => 'changeit',
storetype => 'jks',
}
It doesn't happen each puppet run, I didn't find any pattern
Consider
java_ks { "$cert_alias:$truststore_path":
ensure => latest,
certificate => $cert_path_unique,
trustcacerts => true,
password => $truststore_passwd
}
If $cert_path_unique is a pem file which contains an intermediate and a leaf certificate then puppet outputs the following every run
Java_ks[jREDACTED]/ensure: ensure changed 'present' to 'latest'
Puppet should be idempotent
Needing to add SAN extension, validity name, and distinguished name when generating the keystore
Add SAN support
Managing keystores manually
During the test setup jdk8 is being installed, however the wrong command is being used when this happen, update
rather than upgrade
. This is causing an error to be thrown.
TS files require a password of at least 6 characters. If you provide a password of under 6 chars, your puppet run succeeds, but the keytool command fails silently and no .ts file is created.
java_ks { 'truststore':
ensure => latest,
certificate => '/path/to/cert/cert.pem',
target => '/foo.ts',
password => 'test',
trustcacerts => true,
}
The above code should be sufficient to reproduce this issue, assuming you can provide a .pem file.
Just tried out the module, with the password coming from an ENC (Foreman)
when changing the password in he ENC, puppet does not regenerate the keystore, but tries to update it with the new password which naturally fails and leaves the system in an inconsistent state
debug: Executing 'keytool -importcert -noprompt -alias puppetca -file /var/lib/puppet/ssl/certs/ca.pem -keystore /etc/pki/testvm02.localdomain.ks -trustcacerts'
err: /Stage[main]/Java_ks::Host/Java_ks[puppetca:keystore]/ensure: change from absent to latest failed: Execution of 'keytool -importcert -noprompt -alias puppetca -file /var/lib/puppet/ssl/certs/ca.pem -keystore /etc/pki/testvm02.localdomain.ks -trustcacerts' returned 1: Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Whenever a new store is created, a command is executed to create a new store. If you specify, JKS as storetype, you still get PKCS12 as type.
The store type is JKS.
1, Create the following configuration:
java_ks { 'some_alias':
ensure => latest,
target => '/some_path',
password => 'some_password',
certificate_content => '...'
storetype => 'jks'
}
I found the issue in the code. See keytool.rb
function def create
. Based on the storetype different code is executed. The else
case is done when storetype is jks
, but no storetype is set in this command. Adding it would solve the issue.
In the create method of the keytool provider, the password_file resource property is ignored.
I'm not sure what's the reasoning behind forcing the password parameter to be present (and to be of a certain length). I'm trying to use this to provision a trustedca pem for sending email from java, i.e. adding it to the system-wide /etc/pki/java/cacerts, which doesn't have (or need a password).
As it is, the password restriction prevents me from using it for that. Is there something I'm missing? Isn't a password-less store common (e.g. if all it contains are public keys).
If users have their certificates in an NSS Database, the java_ks module should be able to directly import from that database without manual intervention.
ensure => absent
requires parameter certificate
or certificate_content
set
The certificate
or certificate_content
parameter should not be required when removing entries from Keystores
Steps to reproduce the behavior:
ensure => absent
certificate
or certificate_content
parameterPuppet will fail with:
Error: Failed to apply catalog: Validation of Java_ks[name_goes_here] failed: You must pass one of 'certificate' or 'certificate_content'
By default the java_ks module create the target file with owner root
group root
(on linux systems), while this can be "fixed" with a post ACL change it would be cleaner if the module supported user
and group
parameters and created the target file as that user/group.
java_ks accept user
and groups
parameters and creates/updates the target keystore as that user/group
Many users will have CA certificates that are managed in a directory structure. It would be ideal to be able to read each CA certificate in the directory and import them without having to list each file individually or combine them artificially.
If keytool
does not exist, sensitive Password is not “redacted” in Error-Message:
Error: /Stage[main]/Myprofilemodule/Java_ks[myRootCA]/ensure: change from 'absent' to 'latest' failed:
Execution of 'keytool -importcert -noprompt -alias myrootca -file /etc/pki/tls/certs/myCA_root.pem -keystore /path/to/mykeystore -srcstorepass MyPassword -deststorepass MyPassword' returned 1:
Error: Could not execute posix command: No such file or directory - keytool
keytool
exists, before trying to execute itJust updated to the latest version and get following error when trying to use
an environment specific path in the puppet URI
(/Stage[main]/Jumio::Role::Platform/Java_ks::Keystore[platform]/Java_ks[myks:keystore]/ensure) change from absent to latest failed: Could not set 'latest on ensure: undefined method `environment' for #Puppet::Resource::Catalog:0x7f2ca4f0fa78 at /etc/puppet/environments/test/modules/java_ks/manifests/keystore.pp:51
the implementation is the following
java_ks { "${title}:keystore":
ensure => $ensure,
certificate => "puppet:///ssl/${environment}/${certificate}",
private_key => "puppet:///ssl/${environment}/${private_key}",
target => "${path}/${title}.jks",
password => $password,
trustcacerts => $trustcacerts,
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.