Issue #4226 has been updated by Markus Roberts. Status changed from Ready for Checkin to Closed
Pushed to 2.6.x in commit:66cf3a925b4b6d9b40cbdf95f2be6575bb05a881 ---------------------------------------- Bug #4226: Puppet ca_name configuration setting should not default to the fqdn of the host. http://projects.puppetlabs.com/issues/4226 Author: Jeff McCune Status: Closed Priority: Normal Assignee: Jacob Helwig Category: Target version: 2.6.2 Affected version: Keywords: ssl ca crl certificate revocation Branch: http://github.com/jhelwig/puppet/tree/ticket/2.6.x/4226-root-ca-name Overview: There are numerous issues with enabled checking of certificate revocation list (CRL) files. These issues appear to be caused by the CN field of the CA certificate exactly matching the CN field of the SSL certificate used on the puppet master host. One possible solution is to change the default value of the CN field for the CA certificate to be distinct and unique from the CN field of the SSL certificate on the puppet master. This may be accomplished by changing the default value of the ca_name configuration setting to something other than the FQDN of the host. Expected Behavior: CRL checking should work when enabled. Actual Behavior: CRL checking does not work when the CN field of the CA certificate exactly matches the CN field of the SSL server certificate. Steps to reproduce: Create a default puppet master SSL setup where by the CN name of both the CA and SSL certificates is the FQDN of the host. Enable SSL CRL checking on the puppet master. Notice that CRL checking fails due to a conflict and confusion over the correct certificate to use. Suggested fix: Change the behavior of the ca_name configuration setting to create a CA certificate with a CN of: "Puppet CA #{Facter["fqdn"].value}" rather than the current behavior of "#{Facter["fqdn"].value}" or "${Facter["hostname"].value}.#{Facter["domain"].value}" -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
