Yes, that's probably a better workaround. I'll check that with Apache when I get a chance and make sure it doesn't break anything.
There should possibly be a check, even in 2.6, that ensures that CN != $fqdn as this causes the breakage. It can be anything else, but should definitely be unique per system just in case we ever manage to get the multiple CA thing working, so perhaps with the host name bundled in there as you have it. Thanks, Trevor On Tue, Jul 13, 2010 at 11:35 PM, Jeff McCune <[email protected]> wrote: > On Tue, Jul 13, 2010 at 3:59 AM, Trevor Vaughan <[email protected]> > wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Are you sure? >> >> When I did this patch, and let puppet rebuild, the CN did appear to be >> set to the new name. >> >> Example: CN=puppet-ca.test.net >> >> Oh, and I forgot that you can't use '_' in a proper FQDN for my example >> below. > > OK, I understand what's going on now. > > So, there is no requirement the CN field should actually look like a > hostname. In fact, it should not look like a hostname to prevent > confusion in my opinion. > > I was confused and thought you were appending information to the fqdn > fact, where as you are actually to be modifying the hostname with the > domain appended somewhere else in the code. > > In Puppet 2.6.x the --ca_name configuration setting makes all of this > a moot point, though the default should still not use fqdn or hostname > + domain as the default value as I have filed in . If you need this > to work in 0.25.x, I strong recommend changing your patch to *prepend* > something to the CN field rather than appending something to the > hostname portion of the FQDN. > > A CN of "Puppet CA - puppet.test.net" is perfectly valid and > preferable in my opinion to puppet-ca.test.net, which probably isn't a > valid host fqdn. > > Please try your fix if you need it in 0.25.x using something like: > > name = "Puppet CA - #{Facter["fqdn"].value}" > > This will both prevent the issue of the CA CN field matching the SSL > CN field and the issue of confusing FQDN's in the CN field. > > I've created issue #4226 to track this change: > http://projects.puppetlabs.com/issues/4226 > > -- > Jeff McCune > http://www.puppetlabs.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
