Affected Puppet, Ruby, OS and module versions/distributions

• Puppet:
• Ruby:
• Distribution:
• Module version:

How to reproduce (e.g Puppet code you use)

What are you seeing

Invalid version number in metadata.json

Failed to evaluate /etc/puppetlabs/code-staging/environments/windows_test/Puppetfile\nOriginal exception:\nInvalid 'version' field in metadata.json: version string cannot be parsed as a valid Semantic Version\nERROR\t -> Failed to evaluate /etc/puppetlabs/code-staging/environments/windows_test/Puppetfile\nOriginal exception:\nInvalid 'version' field in metadata.json: version string cannot be parsed as a valid Semantic Version

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

A module that will allow you to install and remove your certificates on Windows machines

How?

This package should declare it's dependency on module puppetlabs/powershell

I'm using this module with puppet 3.8 and 4.6 to install certs on 2012r2 from .pfx and .cer files. Every time Inspect.ps1 is run the .pfx certificate is loaded and seems to leave a private key artifact on disk. I just looked at a machine running this module for a single cert for a year - 21,000+ files in there!

Would it be reasonable to assume if the cert matching the thumbprint is installed that the intermediate certs are there too? This would make it possible to just look up by thumbprint without loading into memory (and on disk for privateKeys)

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: Agent 6.11.1
• Ruby: built in
• Distribution: opensource puppet agent
• Module version: 4.0.0

How to reproduce (e.g Puppet code you use)

puppet module list

What are you seeing

puppet-sslcertificate requires 'puppetlabs-stdlib' (>= 4.13.1 < 6.0.0).

What behaviour did you expect instead

6.2.0 is the current version of stdlib. Stdlib version 5.x is keeping us from upgrading other modules that require version 6 for their respective upgrade dependencies.

Output log

Any additional information you'd like to impart

I'm trying to use this module to import our own internal Cert Authority cert (using a .crt file) and I think because it's just a single cert it is breaking the test of the .Count property of $pfx ($pfx.Count is undefined). I assume this is because with a single cert, $pfx is a single object not an array. Because it's not found, the test for the expected number of installed certs is false, causing the module to run import every single time. Is there some way to either force a single instance to become an array or a reliable way to detect the difference between a single object, an array of objects, and no objects (assuming that's what is returned if no valid certs are found)?

The password parameter requires a String of length 1 which means it's impossible to manage a cert without a password. Sometime, in dev environments, you may want to have a cert without a password.

https://github.com/voxpupuli/puppet-sslcertificate/blob/v3.2.0/manifests/init.pp#L82

In previous versions of the module, this worked (<= 2.2.0). As of 3.0.0 this broke due to the strict typing.

The puppet forge page for this module is confusing (see https://forge.puppetlabs.com/puppet/sslcertificate )

In one place it has the following example, with the weird ticks and puppet

sslcertificate { "Install-PFX-Certificate" :
  name       => 'mycert.pfx',
  password   => 'password123',
  location   => 'C:\',
  thumbprint => '07E5C1AF7F5223CB975CC29B5455642F5570798B'
}

Under usage it says to use "sslcert".

Looking at the module, the actual definition is to use "sslcertificate"

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: Agent 6.15.0
Ruby: built in
Distribution: opensource puppet agent
Module version: 4.1.0

How to reproduce (e.g Puppet code you use)

puppet module upgrade puppetlabs-powershell

What are you seeing

Powershell module upgrade is blocked because:
'puppet-sslcertificate' (v4.1.0) requires 'puppetlabs-powershell' (>= 1.1.1 < 3.0.0)
Current version of powershell is 3.0.1

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Unless explicitly needed, can you please update the requirement of puppetlabs-powershell? Thank you

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: Latest
• Distribution: CentOS (puppet master), Windows Server 2012 R2 (puppet agent)
• Module version: Latest

How to reproduce (e.g Puppet code you use)

Any manifest that has multiple uses of sslcertificate with the same name value.

What are you seeing

The following Agent output:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Cannot alias Sslcertificate[Import sso.domainname.com into Local Machine /Other People] to ["sso.domainname.com.pfx"] at /etc/puppetlabs/code/environments/production/modules/abp_app/manifests/sslcerts.pp:45; resource ["Sslcertificate", "sso.domainname.com.pfx"] already declared at /etc/puppetlabs/code/environments/production/modules/abp_app/manifests/sslcerts.pp:5 at /etc/puppetlabs/code/environments/production/modules/abp_app/manifests/sslcerts.pp:45:3 on node nodename.domainname.local

What behaviour did you expect instead

That the same certificate file could be imported into each of the two locations.

Output log

See "What are you seeing" above.

Any additional information you'd like to impart

If it is not possible to have multiple uses of the same name value, could an array be used for the store_dir value instead?

Similar to the kpn-sslcertificate module, allow a paramter for the content of the file. Ex: Base-64 encoded representation of a pfx file. This means we don't have to rely on the cert being stored locally somewhere. Obviously, clean up the file after we use it.

This can be encrypted and put into hiera.

During installation of SSL certificates on Windows (at least if using PowerShell and System.Security.Cryptography.X509Certificates.X509Certificate2) it is possible to supply the friendlyName attribute. I have a need to install certificates that were not issued with friendlyName. Today we do this with a PowerShell script that adds this attribute before adding the System.Security.Cryptography.X509Certificates.X509Certificate2 object to the store System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine").

Can you add the friendlyname attribute to be passed into this module?

I had to modify this module so that it would import the private keys with my wildcard cert (.pfx file)

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Puppe
t::Parser::AST::Resource failed with error ArgumentError: Invalid resource type
sslcertificate at /etc/puppet/modules/...pp

Add ability to pass secure string instead of clear text password.
Will probably need a new parameter and when populated create secure string object than pass to import method.

The "CA" or intermediate store is never closed in templates/import.ps1.erb. Line 42 closes the $store object, but the $intermediatestore object is never closed. In my testing this has meant that the intermediate CA and root CA certifcates are never truly added to the "CA" store.

Is it intended that only the certificate from the PFX file designated by the thumbprint is installed?

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 2021.4.0
• Ruby:
• Distribution:
• Module version: 4.1.0

How to reproduce (e.g Puppet code you use)

How to request this module to upgrade to 'puppetlabs-powershell', '5.0.0'

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Is it possible for you to provide the certificate used to run the tests?
I would like to use it since i'm adding new arguments to the module and I would like to reuse the tests.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: Puppet 6
• Ruby:
• Distribution:
• Module version: 4.1.0

Issue

Passing a wrong password fails silently on Windows 2019.
Tested it also on Windows 2012 R2, and it fails as expected.

My pfx file contains 1 certificate and its private key + 1 root certificate.

I tested the powershell code outside of Puppet, and I get the same results: silently failing on Windows 2019, failing as expected on Windows 2012 R2.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet:
• Ruby:
• Distribution:
• Module version:

How to reproduce (e.g Puppet code you use)

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

I am trying to use hiera with eyaml to secure my ssl certificate password. The sslcertificate.thumbprint is working correctly, but when I change the sslcertificate.password to a hiera lookup, it fails. I know my syntax is correct because the thumbprint lookup works, and I even tried an unencrypted password in my hiera file, and it still fails, whenever I use a lookup for the password. I absolutely cannot have a plain text password in my manifest, so I need to solve this issue.

I am trying to import a (Comodo) CA certificate using this module. I exported it in both P7B and CER formats (since I experienced this error first with P7B I then tried the CER). I can import either in Windows by right-click>import without a password being required.

When I try to import them with this module I am getting this error about needing a password:

  Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Must
  pass password to Sslcertificate[xxxxxxxxxxxxxxxx] at /etc/puppet
  labs/code/environments/production/modules/profile/manifests/windows/certauths.pp
  :15 on node xxxxxxxxxxxxxxxxxxxxx

Here is the way I am accessing this module:

  sslcertificate { "Install-Comodo-High-Assurance-CA" :
    name       => 'COMODO.CA.sn-46cb.p7b',
    location   => "C:\\Support\\CAs",
    store_dir  => 'CA',
    root_store => 'LocalMachine',
    thumbprint => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
    require => File["Comodo-High-Assurance-CA-File"],
  }

I basically am looking for this certificate to be imported into Trusted Root Certification Authorities.

I would open a case with Puppet support but I don't think they support these community modules?

Let me know if there is more information that would be helpful?

Thank you!

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10.4
• Ruby: 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
• Distribution: Ubuntu 16.04
• Module version: 2.2.0

How to reproduce (e.g Puppet code you use)

sslcertificate { "Install MyCert" :
name => 'MyCert.crt',
location => 'C:\temp',
store_dir => 'Root',
root_store => 'LocalMachine',
password => '',
thumbprint => 'FOOBAR',
require => File['C:\temp\MyCert.crt'],
}

MyCert.crt contains a single root level certificate with no intermediates. The thumbprint value does not match this certificate.

What are you seeing

MyCert gets installed into CA rather than Root. The puppet run terminates without an error.

What behaviour did you expect instead

MyCert would not get installed and the puppet run would display an error, "Thumbprint 'FOOBAR' was not found n MyCert.crt."

Output log

Notice: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/File[inspect-MyCert.crt-certificate.ps1]/content:

Info: Computing checksum on file C:/temp/inspect-MyCert.crt.ps1
Info: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/File[inspect-MyCert.crt-certificate.ps1]: Filebucketed C:/temp/inspect-MyCert.crt.ps1 to puppet with sum 5079a791910bf353a5206d74cbb21bde
Notice: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/File[inspect-MyCert.crt-certificate.ps1]/content: content changed '{md5}5079a791910bf353a5206d74cbb21bde' to '{md5}5b0ce7c056d180dcd99b3004282e96bf'
Notice: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/File[import-MyCert.crt-certificate.ps1]/content:

Info: Computing checksum on file C:/temp/import-MyCert.crt.ps1
Info: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/File[import-MyCert.crt-certificate.ps1]: Filebucketed C:/temp/import-MyCert.crt.ps1 to puppet with sum 577c9b403e7cfda694853dd4d4240140
Notice: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/File[import-MyCert.crt-certificate.ps1]/content: content changed '{md5}577c9b403e7cfda694853dd4d4240140' to '{md5}8eab18b06d4642ca8bc6b4afde4fd47c'
Notice: /Stage[main]/win_instrument::Config/Sslcertificate[Install MyCert]/Exec[Install-MyCert.crt-SSLCert]/returns: executed successfully

Any additional information you'd like to impart

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.12.0
• Ruby: version coming with Puppet 6.12.0
• Distribution: Windows PDK
• Module version: 4.1.0

How to reproduce (e.g Puppet code you use)

1. Download certificates from Windows Update into the file roots.sst using for example: certutil -generateSSTFromWU roots.sst
2. Use puppet-sslcertificate to install certificates from roots.sst.

What are you seeing

If thumbprint matches any of the certificate's thumbprint already in the Windows certificate store, it doesn't install any of the certificates in roots.sst. Otherwise, it always install all the certificates in roots.sst.

What behaviour did you expect instead

For p7b or sst file, and possibly pfx file, thumbprint should not be used to test if the certificates in the file should be installed or not:
https://github.com/voxpupuli/puppet-sslcertificate/blob/8f5722c8f0f0833e40ffebc6952df97c25f16a5c/templates/inspect.ps1.erb#L1
Instead if should get the thumbprints of each certificates in the file (eg: using certutil -dump <file>) and use those to figure out if the file needs to be installed or not.

Output log

N/A

Any additional information you'd like to impart

N/A

Citing lines 30-33 of import.ps1.erb, it should be noted that the X509Store.Add method will result in the certificate being imported with "Microsoft Enhanced Cryptographic Provider v1.0" as evidenced by running the command certutil -store My. This is the same behavior as using the "Install PFX..." option from the context menu or importing it using certlm.msc.

This differs from the Import-PfxCertificate PowerShell command, however, which imports the same *.pfx with "Microsoft Software Key Store Provider."

Please consider extending the script to support either as an option in the event this detail becomes relevant in certain environments.

Additional resources:

• Microsoft Software Key Storage Provider
• Microsoft Enhanced Cryptographic Provider v1.0

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 202.7.2
• Ruby:
• Distribution:
• Module version: 4.1.0

How to reproduce (e.g Puppet code you use)

What are you seeing

'puppet-sslcertificate' (v4.1.0) requires 'puppetlabs-stdlib' (>= 4.13.1 < 7.0.0).

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

This functionality would also be beneficial for Linux

From what I can see in the execution reports.
This module trying to install my cert in every run.
It should verify prior to installation if the certificate is already present in the destination store.

I recently discovered that this module will not install a certificate that is located on a UNC drive share, e.g. \\NetApp\Sharename\MyCert.pfx. The double-slash is ignored, and the path is rewritten as C:\NetApp\Sharename\MyCert.pfx, which results in a file-not-found error, but does not return failure in creating the resource. (!!!)

This shortcoming should at least be documented. Ideally, the module should handle UNC paths correctly, but it should at least return failure if the given path does not exist.