Issue #1168 has been updated by Daniel Pittman.
Jeff McCune wrote: > On Tue, Feb 14, 2012 at 4:11 PM, <[email protected]> wrote: > > If you mean to fix the assumption that the filename and content match, then > > go ahead. > > > > If you mean to use case sensitive filenames and expect them to work, no. > > That brings in a host of other problems. > > What if we stored the certificate in a filename based on the down > cased SHA256 hash of the cert's name? OpenSSL traditionally used some sort of hashing for certificate location, so that seems pretty reasonable to me. Are we comfortable with the possible collisions that causes, though? At least some languages have more challenge around case-mapping, and while I am not certain this is a problem here, it might increase the risk of accidental or malicious collision. Are you also proposing we handle, eg, Unicode normalized forms to support Mac vs non-Mac systems? > This would avoid issues with case insensitive filesystems at the cost > of UX for people who want to directly work with the files on disk > instead of using `puppet cert` I would make that trade-off for technical correctness if required, but a less painful option seems to be to index the data set so we don't have to do a "full table scan", no? Create an index aside from the files on disk that maps their names in a way we can quickly identify the correct file, giving us the best of both worlds - human filenames, and fast lookup without case issues. ---------------------------------------- Bug #1168: Master-side client certificates convert hostnames to lowercase https://projects.puppetlabs.com/issues/1168#change-54912 Author: Mike Brittain Status: In Topic Branch Pending Review Priority: Normal Assignee: Daniel Pittman Category: unknown Target version: 2.7.11 Affected Puppet version: 2.7.10 Keywords: certificate, naming Branch: I'm trying to use master-side certificate generation with hosts at Amazon's EC2 service. Internal hostnames there use mixed-case names: <pre> domU-12-31-12-34-56-78.compute-1.internal </pre> Note the "U" is upper-case. I build a set of certificates for this client: <pre> puppetca --generate domU-12-31-12-34-56-78.compute-1.internal </pre> Resulting files are: <pre> ./private_keys/domu-12-31-12-34-56-78.compute-1.internal.pem ./certs/domu-12-31-12-34-56-78.compute-1.internal.pem ./ca/signed/domu-12-31-12-34-56-78.compute-1.internal.pem </pre> Note all lower-case "u"s in "domu". When I put these onto the puppet client, they are mis-matched between hostname and filenames. The client (when started) ends up creating new keys with mixed-case names next to the versions that were copied from the Puppet master server: <pre> -rw------- 1 root root domU-12-31-12-34-56-78.compute-1.internal.pem -r-------- 1 root root domu-12-31-12-34-56-78.compute-1.internal.pem </pre> It's very possible this is invalid. I don't know the specs surrounding certificate generation. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
