Issue #4226 has been reported by Jeff McCune.
----------------------------------------
Bug #4226: Puppet ca_name configuration setting should not default to the fqdn
of the host.
http://projects.puppetlabs.com/issues/4226
Author: Jeff McCune
Status: Unreviewed
Priority: Normal
Assigned to:
Category:
Target version:
Affected version: 2.6.0rc2
Keywords: ssl ca crl certificate revocation
Branch:
Overview:
There are numerous issues with enabled checking of certificate revocation list
(CRL) files. These issues appear to be caused by the CN field of the CA
certificate exactly matching the CN field of the SSL certificate used on the
puppet master host.
One possible solution is to change the default value of the CN field for the CA
certificate to be distinct and unique from the CN field of the SSL certificate
on the puppet master. This may be accomplished by changing the default value
of the ca_name configuration setting to something other than the FQDN of the
host.
Expected Behavior:
CRL checking should work when enabled.
Actual Behavior:
CRL checking does not work when the CN field of the CA certificate exactly
matches the CN field of the SSL server certificate.
Steps to reproduce:
Create a default puppet master SSL setup where by the CN name of both the CA
and SSL certificates is the FQDN of the host.
Enable SSL CRL checking on the puppet master.
Notice that CRL checking fails due to a conflict and confusion over the correct
certificate to use.
Suggested fix:
Change the behavior of the ca_name configuration setting to create a CA
certificate with a CN of:
"Puppet CA #{Facter["fqdn"].value}"
rather than the current behavior of "#{Facter["fqdn"].value}" or
"${Facter["hostname"].value}.#{Facter["domain"].value}"
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
