This repository has been archived by the owner on Dec 20, 2024. It is now read-only.
Parameters for SSL Security Plugin and ActiveMQ/RabbitMQ should NOT be shared #258
Comments
|
This looks like it was solved in #254. Please re-open if that's not the case. |
|
#254 was an improvement, but only partially addresses this. There were no changes to mcollective::client or mcollective::user. I'm going to link to #279, as I see a major version change is possibly being considered. If there is a new major version, it'd be nice to get this right. :) I'll try to find some time to look at https://github.com/jorhett/puppet-mcollective |
|
I am hoping to get involved in merging these two projects FWIW however I've been sidelined by copyedits for the book about to hit the dead tree press. I hope to get back to work on it in about 10 days. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When connecting to middleware using TLS, mcollective has to present a certificate signed by the same CA that the middleware uses. For this, mcollective needs the signed certificate (which includes the public key), the corresponding private key, and also a copy of the CA certificate.
Typically, users might reuse the puppet agent's cert, private key and puppet ca certificate.
On the other hand, the OpenSSL security plugin doesn't need to use certificates at all. It just needs private/public key pairs. None of these need to be signed by any CA.
All nodes share a private/public key pair. Clients also need their own key pair generated and servers need the client public keys they're going to trust in their plugin.ssl_client_cert_dir directory.
There have been a number of PRs that have tried to address the current use of ssl_* parameters for both the OpenSSL security plugin and the ActiveMQ/RabbitMQ connector TLS. But none have ever been merged.
I recently rebased and fixed up one of the existing PRs. It works, but is kinda incomplete. It works well enough for configuring mcollective servers (which is probably the biggest use-case), but looking at the user class in particular, I see there's more that could be done.
The problem I have is making fixes in a backwards compatible way. Do I really want to have $middleware_ssl_ca default to ssl_ca_cert? It might be backwards compatible, but it's also confusing as the ssl security plugin doesn't require any certificates (just keys).
It'd be far better to default to /var/lib/puppet/ssl/certs/ca.pem (or PE equivalent).
Maybe this needs to be straightened out in a 3.x branch ??
It not, I still think #254 is mergable and would be an improvement, but it'll always look a bit nasty.
The text was updated successfully, but these errors were encountered: