Download fails when host cert is signed by private CA
BrianSipos opened this issue · 2 comments
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 5.3.10
- Ruby: 2.0.0.648
- Distribution: CentOS 7
- Module version: 4.4.0
How to reproduce (e.g Puppet code you use)
Use an archive resource with a "source" URL of a host with HTTPS certificate signed through a private CA chain.
The operating system (Windows 10) has the private root and and intermediate CAs trusted at the operating system level.
What are you seeing
The pupet agent gives an error about not being able to validate the host certificate.
What behaviour did you expect instead
The puppet agent should use the OS-level CA trust to validate the host cert.
A workaround is to set "allow_insecure => true" but this defeats the authentication of TLS.
"allow_insecure => true" also doesn't work when the endpoint being connected to is enforcing SSL/TLS for requestor authentication & enforcing permissions. That makes this a non-starter for us, as all of the hosts in our enterprise do this. We need a way to specify the certificate & key .pem files, and either (preferably) a capath containing all of the certificate authority certs, or a cacert file contain all of the authority certs combined.