Re: [Puppet-dev] [PATCH/puppet 2/2] Fix #4226 ca_name should not match fqdn

Thu, 23 Sep 2010 16:01:56 -0700 

On Thu, 23 Sep 2010 14:24:44 -0700, Jeff McCune wrote:
> Date: Thu, 23 Sep 2010 14:24:44 -0700
> From: Jeff McCune <j...@puppetlabs.com>
> To: puppet-dev@googlegroups.com
> Subject: [Puppet-dev] [PATCH/puppet 2/2] Fix #4226 ca_name should not
>  match fqdn
> X-Mailer: git-send-email 1.7.0.6
> Message-Id: <1285277084-1844-2-git-send-email-j...@puppetlabs.com>
> 
> This commit provides the fix and updates the spec test for #4226
> The fix changes the default behavior of the ca certificate common
> name field.  When generating the CA certificate, the common name should
> not exactly match the common name of the master's SSL certificate to
> assist certificate revocation.
> 
> This commit changes the common name to be of the pattern:
> CN=Puppet CA: $certname
> e.g.
> CN=Puppet CA: puppet.puppetlabs.lan
> 
> Signed-off-by: Jeff McCune <j...@puppetlabs.com>
> ---
>  lib/puppet/defaults.rb            |    2 +-
>  spec/integration/defaults_spec.rb |    4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
> index 318ff41..972e9e6 100644
> --- a/lib/puppet/defaults.rb
> +++ b/lib/puppet/defaults.rb
> @@ -268,7 +268,7 @@ module Puppet
>  
>      setdefaults(
>      :ca,
> -    :ca_name => ["$certname", "The name to use the Certificate Authority 
> certificate."],
> +    :ca_name => ["Puppet CA: $certname", "The name to use the Certificate 
> Authority certificate."],
>      :cadir => {  :default => "$ssldir/ca",
>        :owner => "service",
>        :group => "service",
> diff --git a/spec/integration/defaults_spec.rb 
> b/spec/integration/defaults_spec.rb
> index 4ae2983..77346b9 100755
> --- a/spec/integration/defaults_spec.rb
> +++ b/spec/integration/defaults_spec.rb
> @@ -225,9 +225,9 @@ describe "Puppet defaults" do
>      end
>    end
>  
> -  it "should have a :caname setting that defaults to the cert name" do
> +  it "should have a :caname setting of 'Puppet CA: $fqdn'" do
>      Puppet.settings[:certname] = "foo"
> -    Puppet.settings[:ca_name].should == "foo"
> +    Puppet.settings[:ca_name].should == "Puppet CA: foo"
>    end
>  
>    it "should have a 'prerun_command' that defaults to the empty string" do
> -- 
> 1.7.0.6
> 

For completeness, I think we should also adjust the CN in
lib/puppet/sslcertificates/ca.rb.  Patch to follow.

-- 
Jacob Helwig

Attachment: signature.asc
Description: Digital signature

Reply via email to