Issue #10739 has been updated by Josh Cooper. Status changed from Needs Decision to Accepted Assignee changed from Nigel Kersten to Josh Cooper Target version set to 2.7.x
---------------------------------------- Bug #10739: An initial installation of 2.7.6 results in a default certificate without alternate names https://projects.puppetlabs.com/issues/10739 Author: Eli Klein Status: Accepted Priority: Normal Assignee: Josh Cooper Category: SSL Target version: 2.7.x Affected Puppet version: 2.7.6 Keywords: Branch: Facts around the bug: - Using puppet/puppet-server 2.7.6-2 RPM from the puppetlabs repo - CentOS 5.6 - Stock puppet.conf After starting the server for the first time, the certificate contains only the local hostname of the system. Here's the openssl output from the created certificate: [root@bld-testpuppet-01 etc]# openssl x509 -in /var/lib/puppet/ssl/certs/bld-testpuppet-01.f4tech.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: bld-testpuppet-01.f4tech.com Validity Not Before: Nov 10 15:35:35 2011 GMT Not After : Nov 9 15:35:35 2016 GMT Subject: CN=bld-testpuppet-01.f4tech.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bb:0c:aa:c3:73:ed:1a:30:65:83:f9:78:18:9e: 81:00:fa:32:b1:32:35:0d:c4:97:a2:93:18:8c:3f: ee:4b:37:e1:e7:49:ec:bb:dc:0e:85:b2:3b:41:de: 58:aa:58:25:e0:a2:06:df:2e:7e:e1:2d:33:05:a2: 45:3c:17:3f:12:7a:70:58:7b:e7:ce:13:dc:c1:fa: 1e:8a:5f:d1:5c:6a:9b:9c:cb:cb:1a:35:09:07:d9: 25:31:b9:81:27:1b:44:55:7f:3f:2e:12:d5:da:29: 79:d1:15:09:22:b6:a0:04:62:12:73:80:88:81:b3: fb:41:22:99:34:04:a5:5c:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 22:C8:D0:C9:4F:9D:BD:69:58:FB:9B:0F:91:AE:E4:65:6B:86:5A:DC X509v3 Key Usage: critical Digital Signature, Key Encipherment Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 04:ce:b2:07:2c:3f:d0:de:03:6f:0f:db:7d:06:b2:37:1a:1a: 8f:e4:b5:56:98:fa:1d:a1:81:56:d6:ad:7a:f8:3e:41:3e:0b: 56:32:4f:67:de:99:77:82:59:8b:a3:67:53:19:0f:b4:9e:24: 38:79:5b:0b:e3:87:9a:cb:e3:4e:61:db:a7:9a:f8:98:3c:24: 0e:37:3b:2d:02:9b:dd:6d:64:c2:09:7e:0e:7f:4c:43:38:58: c6:e0:f3:dc:07:70:d2:49:31:c3:e6:f8:f4:f7:35:8a:f4:b8: f4:7e:e7:37:fb:d0:c4:42:8b:be:3f:f3:8c:c4:42:1f:ab:e8: 19:14 -----BEGIN CERTIFICATE----- MIICazCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDDCdQdXBw ZXQgQ0E6IGJsZC10ZXN0cHVwcGV0LTAxLmY0dGVjaC5jb20wHhcNMTExMTEwMTUz NTM1WhcNMTYxMTA5MTUzNTM1WjAnMSUwIwYDVQQDDBxibGQtdGVzdHB1cHBldC0w MS5mNHRlY2guY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7DKrDc+0a MGWD+XgYnoEA+jKxMjUNxJeikxiMP+5LN+HnSey73A6FsjtB3liqWCXgogbfLn7h LTMFokU8Fz8SenBYe+fOE9zB+h6KX9Fcapucy8saNQkH2SUxuYEnG0RVfz8uEtXa KXnRFQkitqAEYhJzgIiBs/tBIpk0BKVcoQIDAQABo4GbMIGYMAwGA1UdEwEB/wQC MAAwHQYDVR0OBBYEFCLI0MlPnb1pWPubD5Gu5GVrhlrcMA4GA1UdDwEB/wQEAwIF oDA3BglghkgBhvhCAQ0EKhYoUHVwcGV0IFJ1YnkvT3BlblNTTCBJbnRlcm5hbCBD ZXJ0aWZpY2F0ZTAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJ KoZIhvcNAQEFBQADgYEABM6yByw/0N4Dbw/bfQayNxoaj+S1Vpj6HaGBVtatevg+ QT4LVjJPZ96Zd4JZi6NnUxkPtJ4kOHlbC+OHmsvjTmHbp5r4mDwkDjc7LQKb3W1k wgl+Dn9MQzhYxuDz3Adw0kkxw+b49Pc1ivS49H7nN/vQxEKLvj/zjMRCH6voGRQ= -----END CERTIFICATE----- Note the missing entry similar to the following: X509v3 Subject Alternative Name: DNS:puppet, DNS:bld-testpuppet-01.f4tech.com, DNS:puppet.f4tech.com Adding in the dns_alt_names keyword to the config with the additional names results in the correct certificate after it's regenerated. Please let me know if you need further information. I've been able to reproduce this 3 times on freshly installed systems. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
