Issue #10739 has been updated by Kelsey Hightower. Due date set to 11/15/2011 Status changed from Investigating to Closed % Done changed from 0 to 100 Estimated time set to 1.00
Eli, I am providing you a link to our docs that provide more detail as to why certdnsname is no longer used: [certdnsname](http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames) The certdnsnames setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set dns_alt_names in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other subjectAltName value, for another nodes certificate. Alternately you can use the --dns_alt_names command line option to set the labels added while generating your own CSR. ---------------------------------------- Bug #10739: An initial installation of 2.7.6 results in a default certificate without alternate names https://projects.puppetlabs.com/issues/10739 Author: Eli Klein Status: Closed Priority: Normal Assignee: Kelsey Hightower Category: Target version: Affected Puppet version: 2.7.6 Keywords: Branch: Facts around the bug: - Using puppet/puppet-server 2.7.6-2 RPM from the puppetlabs repo - CentOS 5.6 - Stock puppet.conf After starting the server for the first time, the certificate contains only the local hostname of the system. Here's the openssl output from the created certificate: [root@bld-testpuppet-01 etc]# openssl x509 -in /var/lib/puppet/ssl/certs/bld-testpuppet-01.f4tech.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: bld-testpuppet-01.f4tech.com Validity Not Before: Nov 10 15:35:35 2011 GMT Not After : Nov 9 15:35:35 2016 GMT Subject: CN=bld-testpuppet-01.f4tech.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bb:0c:aa:c3:73:ed:1a:30:65:83:f9:78:18:9e: 81:00:fa:32:b1:32:35:0d:c4:97:a2:93:18:8c:3f: ee:4b:37:e1:e7:49:ec:bb:dc:0e:85:b2:3b:41:de: 58:aa:58:25:e0:a2:06:df:2e:7e:e1:2d:33:05:a2: 45:3c:17:3f:12:7a:70:58:7b:e7:ce:13:dc:c1:fa: 1e:8a:5f:d1:5c:6a:9b:9c:cb:cb:1a:35:09:07:d9: 25:31:b9:81:27:1b:44:55:7f:3f:2e:12:d5:da:29: 79:d1:15:09:22:b6:a0:04:62:12:73:80:88:81:b3: fb:41:22:99:34:04:a5:5c:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 22:C8:D0:C9:4F:9D:BD:69:58:FB:9B:0F:91:AE:E4:65:6B:86:5A:DC X509v3 Key Usage: critical Digital Signature, Key Encipherment Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 04:ce:b2:07:2c:3f:d0:de:03:6f:0f:db:7d:06:b2:37:1a:1a: 8f:e4:b5:56:98:fa:1d:a1:81:56:d6:ad:7a:f8:3e:41:3e:0b: 56:32:4f:67:de:99:77:82:59:8b:a3:67:53:19:0f:b4:9e:24: 38:79:5b:0b:e3:87:9a:cb:e3:4e:61:db:a7:9a:f8:98:3c:24: 0e:37:3b:2d:02:9b:dd:6d:64:c2:09:7e:0e:7f:4c:43:38:58: c6:e0:f3:dc:07:70:d2:49:31:c3:e6:f8:f4:f7:35:8a:f4:b8: f4:7e:e7:37:fb:d0:c4:42:8b:be:3f:f3:8c:c4:42:1f:ab:e8: 19:14 -----BEGIN CERTIFICATE----- MIICazCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDDCdQdXBw ZXQgQ0E6IGJsZC10ZXN0cHVwcGV0LTAxLmY0dGVjaC5jb20wHhcNMTExMTEwMTUz NTM1WhcNMTYxMTA5MTUzNTM1WjAnMSUwIwYDVQQDDBxibGQtdGVzdHB1cHBldC0w MS5mNHRlY2guY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7DKrDc+0a MGWD+XgYnoEA+jKxMjUNxJeikxiMP+5LN+HnSey73A6FsjtB3liqWCXgogbfLn7h LTMFokU8Fz8SenBYe+fOE9zB+h6KX9Fcapucy8saNQkH2SUxuYEnG0RVfz8uEtXa KXnRFQkitqAEYhJzgIiBs/tBIpk0BKVcoQIDAQABo4GbMIGYMAwGA1UdEwEB/wQC MAAwHQYDVR0OBBYEFCLI0MlPnb1pWPubD5Gu5GVrhlrcMA4GA1UdDwEB/wQEAwIF oDA3BglghkgBhvhCAQ0EKhYoUHVwcGV0IFJ1YnkvT3BlblNTTCBJbnRlcm5hbCBD ZXJ0aWZpY2F0ZTAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJ KoZIhvcNAQEFBQADgYEABM6yByw/0N4Dbw/bfQayNxoaj+S1Vpj6HaGBVtatevg+ QT4LVjJPZ96Zd4JZi6NnUxkPtJ4kOHlbC+OHmsvjTmHbp5r4mDwkDjc7LQKb3W1k wgl+Dn9MQzhYxuDz3Adw0kkxw+b49Pc1ivS49H7nN/vQxEKLvj/zjMRCH6voGRQ= -----END CERTIFICATE----- Note the missing entry similar to the following: X509v3 Subject Alternative Name: DNS:puppet, DNS:bld-testpuppet-01.f4tech.com, DNS:puppet.f4tech.com Adding in the dns_alt_names keyword to the config with the additional names results in the correct certificate after it's regenerated. Please let me know if you need further information. I've been able to reproduce this 3 times on freshly installed systems. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
