Bug #20070
closedAgent key does not work for HTTP on migrations
Description
CFEngine removed the passphrase on its private key between 3.15 and 1.18:
Private keys generated by cf-key are no longer encrypted. Private key files encrypted with a broken cipher and default hard coded passphrase provide no real security, and is only an inconvenience. Maybe it was intended to add a password prompt later, but it's been 10 years now, and the cipher and passphrase remain untouched. The function which reads keys still supports both encrypted and unencrypted keys, it will decrypt if necessary.
So on 7.0 new installs, apache can use the private key, but not with previous keys, kept when migrating from pre-7.0.
We can just remove the passphrase as a migration step to ensure apache can read the key.
It is not a problem for the agent as all servers upgraded in 7.0 will have a 3.18 agent.
Updated by Alexis Mousset about 3 years ago
- Subject changed from Agent certificate does not work for HTTP on migrations to Agent key does not work for HTTP on migrations
Updated by Alexis Mousset about 3 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset about 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-agent/pull/350
Updated by Alexis Mousset about 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-agent|c98bca04144e450c847bab97c7d7d00de0841ad6.
Updated by Vincent MEMBRÉ about 3 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.0.0~beta2 which was released today.