voxpupuli / puppet-openssl Goto Github PK

You must have gotten the dependency version number wrong for puppetlabs-stdlib:

Warning: Module 'puppetlabs-stdlib' (v4.1.0) fails to meet some dependencies:
'camptocamp-openssl' (v0.1.0) requires 'puppetlabs-stdlib' (v0.0.1)

Now that #17 is fixed, it would be helpful to upload a new release of this module to Puppet Forge.

dhparam generation can be quite time expensive but openssl provides a flag for faster generation named -dsaparam
details on https://security.stackexchange.com/a/95184

the following code is just quick test implementation:

define openssl::dhparam(
  $path,
  $ensure = present,
  $size = 512,
  $owner = 'root',
  $group = 'root',
  $mode = '0644',
  $fastmode = true,
) {

  validate_absolute_path($path)
  validate_re($ensure, '^(present|absent)$',
    "\$ensure must be either 'present' or 'absent', got '${ensure}'")
  validate_integer($size, '', 1) # positive integer
  validate_string($owner)
  validate_string($group)
  validate_string($mode)

  dhparam { $path:
    ensure => $ensure,
    size   => $size,
    fastmode => $fastmode,
  }

  # Set file access
  file { $path:
      ensure  => $ensure,
      owner   => $owner,
      group   => $group,
      mode    => $mode,
      require => Dhparam[$path];
  }
}

require 'pathname'
Puppet::Type.newtype(:dhparam) do
  desc 'A Diffie Helman parameter file'

  ensurable

  newparam(:path, :namevar => true) do
    validate do |value|
      path = Pathname.new(value)
      unless path.absolute?
        raise ArgumentError, "Path must be absolute: #{path}"
      end
    end
  end


  newparam(:size) do
    desc 'The key size'
    newvalues /\d+/
    defaultto 512
    validate do |value|
      size = value.to_i
      if size <= 0 || value.to_s != size.to_s
        raise ArgumentError, "Size must be a positive integer: #{value.inspect}"
      end
    end
  end

  newparam(:fastmode) do
    desc 'Enable fast mode'
    defaultto false
    #validate do |value|
      #size = value.to_i
      #if size <= 0 || value.to_s != size.to_s
      #  raise ArgumentError, "Size must be a positive integer: #{value.inspect}"
      #end
    #end
  end
end

require 'pathname'
Puppet::Type.type(:dhparam).provide(:openssl) do
  desc 'Manages dhparam files with OpenSSL'

  commands :openssl => 'openssl'

  def exists?
    Pathname.new(resource[:path]).exist?
  end

  def create
    if resource[:fastmode]
        fastmode="-dsaparam"
    else
        fastmode=""
    end


    options = [
      'dhparam',
      fastmode,
      '-out', resource[:path],
      resource[:size]
    ]
    openssl options
  end

  def destroy
    Pathname.new(resource[:path]).delete
  end
end

While working on the manifests for one of my servers, I started getting errors, seemingly out of nowhere:

Error: Could not run Puppet configuration client: cannot load such file -- inifile
Error: Could not run: can't convert Puppet::Util::Log into Integer

A little searching suggested that this might be a missing gem. Once I added it, things started working again:

bshacklett@[redacted]:/etc/postfix$ sudo gem install inifile
Fetching: inifile-3.0.0.gem (100%)
Successfully installed inifile-3.0.0
1 gem installed
Installing ri documentation for inifile-3.0.0...
Installing RDoc documentation for inifile-3.0.0...
bshacklett@[redacted]:/etc/postfix$ sudo puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for [redacted]
Info: Applying configuration version '1458314904'
Notice: Finished catalog run in 0.35 seconds

Does the module handle the installation of this gem? If not, how is it supposed to be installed? It seems odd that it was working, then stopped out of nowhere and required that the gem be installed manually.

May I suggest adding an $ensure paramter similar to:

class openssl (
  $package_ensure => present,
){
}

class openssl::packages {
  package { 'openssl':
    ensure => $openssl::package_ensure,
  }
}

If no one has any objection, I will make the change and submit a pull request.

Any thoughts?

see http://docs.puppetlabs.com/guides/templating.html#testing-for-undefined-variables

< <% if has_variable?("state") -%>

---
> <% if @state -%>
23c23
< <% if has_variable?("locality") -%>

---
> <% if @locality -%>
27c27
< <% if has_variable?("unit") -%>

---
> <% if @unit -%>
31c31
< <% if has_variable?("email") -%>

---
> <% if @email -%>

For some scenarios it is helpful to be able to issue certificates with IP: SANs.

I just wanted to create single certificate for multiple domains, but that feature doesn't seem to work.

My Puppet manifest:

openssl::certificate::x509 { 'test1':
  country      => 'US',
  organization => 'Dev',
  commonname   => 'domain.tld',
  altnames     => ['anotherdomain.tld', 'subdomain.domain.tld'],
}

Created certificate contains domain.tld as "Common Name", but there are no records about SAN (Subject Alternative Names).

I think you should improve doc to show that if you want a cert to be generated without password / passphrase, you only have to set openssl::certificate::x509::password to undef, as this isn't obvious.

I am trying to generate a pkcs12 certificate for Tomcat. The private key is password protected.

The export command fails because a prompt is asking for the private key password which is not supplied (see 'User interface error' below)

pkcs12.pp needs to use the -passin option to decrypt the private key (see https://www.openssl.org/docs/apps/pkcs12.html).

Notice: /Stage[main]/Profile::Tomcat/Certificate::Pkcs12[tomcat.self.signed]/Openssl::Export::Pkcs12[tomcat.self.signed]/Exec[Export tomcat.self.signed to /var/www/ssl/tomcat.self.signed.p12]/returns: Enter pass phrase for /var/www/ssl/tomcat.self.signed.key:
Notice: /Stage[main]/Profile::Tomcat/Certificate::Pkcs12[tomcat.self.signed]/Openssl::Export::Pkcs12[tomcat.self.signed]/Exec[Export tomcat.self.signed to /var/www/ssl/tomcat.self.signed.p12]/returns: User interface error
Notice: /Stage[main]/Profile::Tomcat/Certificate::Pkcs12[tomcat.self.signed]/Openssl::Export::Pkcs12[tomcat.self.signed]/Exec[Export tomcat.self.signed to /var/www/ssl/tomcat.self.signed.p12]/returns: unable to load private key
Notice: /Stage[main]/Profile::Tomcat/Certificate::Pkcs12[tomcat.self.signed]/Openssl::Export::Pkcs12[tomcat.self.signed]/Exec[Export tomcat.self.signed to /var/www/ssl/tomcat.self.signed.p12]/returns: 139988079081120:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:458:
Notice: /Stage[main]/Profile::Tomcat/Certificate::Pkcs12[tomcat.self.signed]/Openssl::Export::Pkcs12[tomcat.self.signed]/Exec[Export tomcat.self.signed to /var/www/ssl/tomcat.self.signed.p12]/returns: unable to write 'random state'
Error: openssl pkcs12 -export -in /var/www/ssl/tomcat.self.signed.crt -inkey /var/www/ssl/tomcat.self.signed.key -out /var/www/ssl/tomcat.self.signed.p12 -name tomcat.self.signed -nodes -noiter -passout pass:9hC9X9Sn4Tew returned 1 instead of one of [0]
Error: /Stage[main]/Profile::Tomcat/Certificate::Pkcs12[tomcat.self.signed]/Openssl::Export::Pkcs12[tomcat.self.signed]/Exec[Export tomcat.self.signed to /var/www/ssl/tomcat.self.signed.p12]/returns: change from notrun to 0 failed: openssl pkcs12 -export -in /var/www/ssl/tomcat.self.signed.crt -inkey /var/www/ssl/tomcat.self.signed.key -out /var/www/ssl/tomcat.self.signed.p12 -name tomcat.self.signed -nodes -noiter -passout pass:9hC9X9Sn4Tew returned 1 instead of one of [0]

Hello,

your module calls /usr/local/sbin/generate-ssl-cert.sh but /usr/local/sbin/generate-x509-cert.sh is the correct name.

Regards.

If I interpret this correctly, in #39 there have been attempts made to generate and manage a CA.
However, as the original pull request was closed by the original author without apparent reason, there is currently no way to create and manage a CA and generate certificates signed by the managed CA (or any CA for that matter).

I would like to push a discussion, if this is a feature that is wanted/planned as well as find some pointers on how we could implement this. I have thus far looked into the module and roughly understood how it works. Unfortunately I dont think I have the necessary knowledge yet to implement a fitting solution.

Additionally I think, this could be split into several features:

• Generate a CA
• Manage a CA (can be coupled with the generation)
• Allow the possibility to sign certs against an existing CA file (this i think can be done independently of the other features)

Any comments, pointers and help in general is very appreciated :)

Problem description

The custom fact openssl_version resolves to nil:

/opt/puppetlabs/bin/facter -p -d --no-color 2>&1 | grep openssl
[2021-12-29 00:12:43.868917 ] DEBUG Facter::Core::Execution::Posix - Executing command: /bin/openssl version 2>&1 
[2021-12-29 00:12:43.891068 ] DEBUG Facter::Util::Fact - value for openssl_version is still nil 

Environment

voxpupuli/puppet-openssl 2.0.0

CentOS 8.5.2111
Puppet Agent 7.13.1
Facter 4.2.6

$ /bin/openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

Additional context

AFAICT this issue should not exist, it was resolved in 5fe38f9 but still doesn't work for me.

The in_pass and out_pass params are set to Boolean at https://github.com/camptocamp/puppet-openssl/blob/master/manifests/export/pkcs12.pp#L19, which doesn't allow for inputting the passwords. The param type should probably be Variant[Boolean, String] or something similar.

At time certs come in DER format which is generally unusable for Unix environments. Being able to convert them to PEM using automation would allow internally signed certs from AD cert manager to seemly make its way into unix/linux environments.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.24.0
• Ruby:
• Distribution: CentOS Stream 9
• Module version: 2.0.1

How to reproduce (e.g Puppet code you use)

class { '::openssl::certificate':
     x509_certs => { '/path/to/certificate.crt' => {  ensure      => 'present',
                                                      password    => 'j(D$',
                                                      private_key => '/there/is/my/private.key',
                                                      days        => 4,
                                                      force       => false,}
                    }
}

What are you seeing

When the certificate expires, puppet doesn't appear to care

What behaviour did you expect instead

When the certificate expires, a new cert would be generated from the private key

Output log

Any additional information you'd like to impart

Hello,

Would you please make openssl config parameters accessible via class parameters? This would allow us to use hiera to manage parameters more gracefully than with individual template files.

As of version v1.10.0,

ssl_pkey { '/path/to/private.key': }

does not create a private key but

ssl_pkey { '/path/to/private.key':
  ensure => 'present',
}

does. ensure => present should be the default.

The default of false for out_pass does not work.

Per this, you need to specify a blank password to get no password.
This is our experience as well.
http://stackoverflow.com/questions/27497723/export-a-pkcs12-file-without-an-export-password

A current workaround is to set

out_pass => ''

However this is not a permanent solution and the default should really work.

I think this code should fix it:

      $passout_opt = $out_pass ? {
        false   => '-passout pass:',
        default => "-passout pass:${out_pass}",
      }

So, this module needs a few things to bring it up to standard. As puppet6 is EOL, puppet7 being the default standard right now and puppet8 release just happened, this module needs to migrate upwards.

Steps:

• First enable puppet7 support additionally to puppet6 (migration version)
• Then drop support for puppet6
• Then maybe add support for puppet8

bastelfreak did some things with modulesync here:
#139 and #160 but the CI seems to not like any of it; #139 CI run is too old to have logs, so we might want to rerun the workflow or open a new PR

Let's say that we have a separate tool for managing certificates (Comodo Certificate Manager in our case) and that we want to manage our openssl.cnf independently of any specific certificate we generate. Being able to configure the top-level class in this way would be exceptionally helpful, especially for setting package versions or site-wide options. I suppose that this could be done within the context of a private key (SSL's useless without one), but being able to configure the overall class and not just individual keys/csrs/ certs would be valuable.

x509_request doesn't implement a refresh function, so you can't notify it or subscript it to the .cnf file. On refresh the CSR file should be created again.

On the following line there is a $ when there should be a @.

https://github.com/camptocamp/puppet-openssl/blob/6060123d08656e78b300c1badba2bfec2c2ed01b/templates/cert.cnf.erb#L17

I forked the repo, updated it, and tested it after the change. Works well.

Hi,

In the openssl config template please replace all references to has_variable?("var") with a simple if @var test.

More info here: http://docs.puppetlabs.com/guides/templating.html#referencing-variables

Cheers!

As of v1.10.0,

ssl_pkey { '/path/to/private.key':
  ensure => 'present',
}

creates a private key file with 0644 permissions. Given the security critical role of private keys, this should default to 0600 and be changeable with the usual user, group and mode options.

I'm creating a self-signed cert with openssl::certificate::x509, like so:

 ssl_prefix => 'ukprd'
 servicename => "uk.example.com",
 altnames   => ['uk.example.com','server.example.co.uk'],

then using:

 openssl::certificate::x509 { "${ssl_prefix}":
    ensure       => present,
    country      => 'GB',
    organization => 'My Company Ltd',
    commonname   => "$servicename",
    state        => 'London',
    locality     => 'London',
    unit         => 'Engineering',
    altnames     => $altnames,
    email        => '[email protected]',
    days         => 3650,
    base_dir     => "/www/${name}/ssl",
    owner        => 'root',
    password     => "$ssl_pass",
    force        => false,
 }

and in the resulting CSR, I see everything as it should be:

$ openssl req -text -noout -in ./server.example.com/ssl/ukprd.csr
Certificate Request:
  Data:
    Version: 0 (0x0)
    Subject: C=GB, ST=London, L=London, O=My Company Ltd, OU=Engineering, CN=uk.example.com/[email protected]
...
    Attributes:
    Requested Extensions:
        X509v3 Subject Alternative Name: 
            DNS:uk.example.com, DNS:server.example.co.uk
...

(as per the generated ukprd.cnf OpenSSL configuration file)

but the created certificate doesn't include those alternative names:

$ openssl x509 -text -in ./server.example.com/ssl/ukprd.crt -noout

Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number:
           99:57:4b:c4:5c:7c:99:e6
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=GB, ST=London, L=London, O=My Company Ltd, OU=Engineering, CN=uk.example.com/[email protected]
...
       Subject: C=GB, ST=London, L=London, O=My Company Ltd, OU=Engineering, CN=uk.example.com/[email protected]
...

RANDFILE has an incorrect value ($ENV::HOME) on ubuntu 12.04.04.

Steps to reproduce the bug:

• Using current RANDFILE value ($ENV::HOME) on Ubuntu 12.04.04, openssl version 1.0.1-4ubuntu3
• Apply the following manifest:

  openssl::certificate::x509 { 'test.example.com':
    ensure       => present,
    country      => 'ES',
    organization => 'example.com',
    commonname   => $fqdn,
    base_dir     => '/tmp',
    owner        => 'root',
    password     => 'fake',
  }

Current behaviour:

• The following error is shown:

Error: Execution of '/usr/bin/openssl req -new -key /tmp/test.example.com -config /tmp/mail.awsdev.netquestapps.com.cnf -out /tmp/test.example.com.csr -passin pass:fake' returned 1: error on line 6 of /tmp/test.example.com.cnf
139940285789856:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 6

Expected behaviour:

• Certificates should be generated.

Way to fix the bug:

• Use absolute path (using /root/.rnd fixes the bug)

according the readme the following should work:

dhparam { '/path/to/dhparam.pem': }

dhparam { '/path/to/dhparam.pem':
  size => 2048,
}

but looking at the code $path is not set to $name by default. so the code has to be changed like this:

define openssl::dhparam(
  $path = $name,
  ...
) {

or the readme should be changed:

dhparam { 'mainfile': path => '/path/to/dhparam.pem': }

dhparam { 'mainfile':
  path => '/path/to/dhparam.pem'
  size => 2048,
}

It would be good to have a function to read certificate expiration date.

My use case would be along these lines:

• if certificate expires more than X days in the future, do nothing
• if it expires less than or equal to X days in the future, notify an exec that would delete the certificate file and its key
• then openssl::certificate::x509 (which I'd mark to require the exec before it, to force correct ordering) would simply re-generate a new key and a new cert
• then anything subscribing openssl::certificate::x509 would take care of application reloads and the like

Any plans for adding support method for PE2015.2.3? After merging following 5a57c67 we're following error:
Error: Facter: error while resolving custom fact "openssl_version": undefined method `[]' for nil:NilClass

Right now it just defaults to "present". A parameter called "package_version" should be added to the openssl class.

Will you accept a PR for an openssl version fact?

I'm really missing a feature which provides a resource type that is taking a certificate, resolves it's issuer chain, gets all the intermediates and stores the full chain in a PEM file.

This is a bug report and a discussion (hopefully) at the same time.
This module offers 2 templates (one .erb and one .epp) for configurations and a parameter in the certificate::x509 class to change the configuration file to be used (defaults to: openssl/cert.cnf.erb). This works perfectly fine as long as one uses the .erb template. However as soon as someone wants to change the path-parameter to use the cert.cnf.epp template instead, syntax errors occure. This is caused by the use of the template function (which does not allow epp template files; the appropriate function for epp-templates would be epp() ).

This bug could surely be fixed by specialcasing based on the file-ending or similar means, but in my opinion this doesnt tackle the underlying issue of how the configuration file is managed. Is there a reason to allow users to exchange templates accross modules?
In my opinion this is bad practice and should someone need a very custom configuration file, we should either expand our template to be generic enough for all use-cases, or the user can generate this file themselfes and pass it through the cnf parameter of the same class. Albeit I am not sure if there should be a check added to only manage the cnf file if the cnf-parameter is empty.
At the same time it seems the templates have diverged in their features and functionalities, this is bad for maintainability.

In my opinion the steps to correct this bug and improve maintainability, we should merge the features of the two templates into one template (probably best done in one .epp template), use the correct function for rendering the template and possibly get rid of the cnf_tpl parameter as cross referencing templates from other modules seems wrong on a very basic level.

In the end there should only exist one template (that provides all functionalities/configuration options a user needs) and all features someone suggest get added to this one template to ensure this is maintainable.

Maybe a maintainer can provide some thoughts, if this would be appreciated? I can provide code/tests and documentation should the changes be wanted.

Please add support for stdlib 9 (or add <10.0.0 as upper boundry).

If a new cert and/or key are provided the exec for creating the pkcs12 file is not rerun due to it utilizing the creates parameter.

I was reviewing the below code, because of suspected failing its purpose:

My analysis unveiled, that neither the if nor the elsif branches are ever executed. This is because the ini_file's initialize method does not read and parse the file itself, thus each call to its get_section method is returning nil.

An instance of Puppet::Util::IniConfig::PhysicalFile would need the invocation of its read method to read and parse the file, but that's never happen. Using this class to parse an OpenSSL config file constructed by this module's templates/cert.cnf.epp would, however, end up raising IniParseError with the message Property with key HOME outside of a section from puppet/util/inifile.rb#L185. AFAIK, there is no specification for the format of ini files, however, Microsoft and OpenSSL seem to treat them differently. Nevertheless, Puppet::Util::IniConfig::PhysicalFile.parse method does not support keys before the first section header, thus it seems not suitable for parsing OpenSSL style config files.

In that sense the old_cert_is_equal method of the x509_cert openssl provider would need to be reviewed.

This doesn't create the file unless ensure is uncommented, which should be the default operation.

dhparam { '/etc/openvpn/dh2048.pem': 
    size         => 2048,
    require    => Package['openvpn'],
    # ensure => 'present'    
 }

OpenLDAP unfortunately does not like encrypted private keys. As it stands, the current output generates encrypted keys always as it directly uses the ruby SSL calls. Interestingly, the PKCS12 export uses the commandline with the -nodes option, which is what we need for the ssl_pkey creation as well.

Ideally, I'd like to have a flag on ssl_pkey and the openssl::certificate::x509 that allows us to turn encryption off.

The module currently lists this as optional when, at least on the box I tested on, an out password is required by OpenSSL.

If the ‘size’ of the resource has changed, new dhparams should be generated.

Why? Given the logjam vulnerability and to prevent regression in the event of a dhparams file being manually overwritten.

This would work nicely for the case where the user, having managed their dhparams via this lovely puppet module (like myself), needs to upgrade a whole bunch of dhparams in one go…

Similarly, since regenerating based on size will require puppet to parse a dhparams file I think it would also make sense for an invalid /corrupted dhparams file to be regenerated.

I've done a little experimentation so far making the type use size as a property and get the following:

Given a dhparam managed like this in puppet

dhparam { '/tmp/dhparam.pem':
    size   => 2048,
}

and then overriding it:

openssl dhparam -out /tmp/dhparam.pem 16

I get the following:

Notice: /Stage[main]/Openssl/Dhparam[/tmp/dhparam.pem]/size: size changed '16' to '2048'
Notice: Applied catalog in 46.97 seconds

similarly for a file that is not a valid dhparams :

Notice: /Stage[main]/Openssl/Dhparam[/tmp/dhparam.pem]/size: size changed '' to '2048'
Notice: Applied catalog in 67.06 seconds

Error: Could not run Puppet configuration client: /usr/lib/ruby/gems/1.8/gems/inifile-3.0.0/lib/inifile.rb:558: undefined (?...) sequence: /\A"(.*)(?<!\\)"\z/

This is on the current HEAD.

Google Chrome will stop trusting SHA1 after Jan 2017:
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

Suggest changing the default in: puppet-openssl/templates/cert.cnf.erb
to sha256

Puppet 4 has more strict typing, and certain params fail to validate.

2016-04-11 19:33:52,886 ERROR [puppet-server] Puppet Evaluation Error: Error while evaluating a Function Call, validate_re(): input needs to be a String, not a Fixnum
2016-04-11 19:33:53,132 ERROR [puppet-server] Puppet Evaluation Error: Error while evaluating a Function Call, 0 is not a string.  It looks to be a Fixnum
2016-04-11 19:33:53,133 ERROR [puppet-server] Puppet Evaluation Error: Error while evaluating a Function Call, 0 is not a string.  It looks to be a Fixnum at /etc/puppet/environments/production/modules/openssl/manifests/certificate/x509.pp:144:3 on node box.domain.com
2016-04-11 19:33:53,133 ERROR [puppet-server] Puppet Evaluation Error: Error while evaluating a Function Call, 0 is not a string.  It looks to be a Fixnum

• Puppet: 6.28.0
• Ruby: ruby 2.5.9p229 (2021-04-05 revision 67939) [x86_64-linux]
• Distribution: Rocky Linux release 8.6
• Module version: 2.0.1

[root@server ~]# cat /etc/rocky-release
Rocky Linux release 8.6 (Green Obsidian)
[root@server ~]# facter -p openssl_version

[root@server ~]# openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

Using the regex found in the fact code:

irb(main):001:0> a = 'OpenSSL 1.1.1k  FIPS 25 Mar 2021'
=> "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
irb(main):002:0> b = %r{^OpenSSL ([\w.\-]+)( FIPS)?( +)([\d.]+)( +)([\w.]+)( +)([\d.]+)}.match(a)
=> nil

I did further testing, and it seems it starts failing at [w.\-]. To me, it doesn't look like [\w.\-]+ will match 1.1.1k, even though for some reason it does work on CentOS 7.9 with "OpenSSL 1.0.2k-fips".

For me, this seems work better:
(Focussing on the version substring and "fips" parts, with OpenSSL version strings found on Rocky Linux 8.6 and CentOS 7.9)

irb(main):001:0> a = 'OpenSSL 1.1.1k  FIPS 25 Mar 2021'
=> "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
irb(main):002:0> b = %r{ \d.\d.\d\w?([\s]+|\-)(fips|FIPS)?}.match(a)
=> #<MatchData " 1.1.1k  FIPS" 1:"  " 2:"FIPS">
irb(main):003:0> b[0].strip() if b
=> "1.1.1k  FIPS"

irb(main):011:0> c = 'OpenSSL 1.0.2k-fips  26 Jan 2017'
=> "OpenSSL 1.0.2k-fips  26 Jan 2017"
irb(main):012:0> d = %r{ \d.\d.\d\w?([\s]+|\-)(fips|FIPS)?}.match(c)
=> #<MatchData " 1.0.2k-fips" 1:"-" 2:"fips">
irb(main):013:0> d[0].strip() if d
=> "1.0.2k-fips"

I'm by no means a Ruby nor regex expert, and I'm only improvising with the regex currently present in the fact. Therefore, I'm hesitant to create a PR, because I'm unsure if it will work correctly in all cases. But, maybe this helps.

If the pkcs12 export fails or is debugged in puppet the password leaks.

Suggesting to set command as Sensitive

command => Sensitive(inline_template('<%= @cmd.join(" ") %>')),

https://github.com/camptocamp/puppet-openssl/blob/master/manifests/export/pkcs12.pp#L51

Thanks!

It would be nice if this module allows users to export signed certificates and import them on other hosts.
For example: define and export a certificate on host1, then import and realize the certificate on host2
Right now the contents of the certificate are created life on the importing host (making the contents of the certificate different than they are on the exported host).

I have no idea if this is even possible. My guess is this would need some work in the cert/key providers, if this even at all possible in puppet.

Have been trying to create a new certificate with no passphrase on the private key.

Passing 'password' as undef doesn't work.
Not passing 'password' doesn't work.

It results in the following

Enter PEM pass phrase:

How to reproduce:

1. setup clear ubuntu 14.04 (for me docker was good enough)
2. setup puppet, default version in 14.04 is 3.4.3, but seems this error can be reproduced on any puppet version
   apt-get install puppet
3. install module
   puppet module install camptocamp-openssl
4. run puppet apply
   puppet apply -e "dhparam { '/tmp/dhparam.pem': ensure => present, size => 2048 }" --modulepath=/etc/puppet/modules --verbose
5. receive following message:
   Error: Parameter size failed on Dhparam[/tmp/dhparam.pem]: comparison of String with 0 failed at line 1 Wrapped exception: comparison of String with 0 failed

There is an if around the ca-certificates package.