[Puppet-dev] [PATCH/puppet 2/2] Fix #4226 - Prepend 'Puppet CA: ' to fqdn for default root ca_name

[Jacob Helwig]

Having a root ca_name that matches the fqdn of the puppet master would
cause certificate lookup problems on some clients, resulting in failed SSL
negotiation.

Signed-off-by: Jacob Helwig <ja...@puppetlabs.com>
---
 lib/puppet/defaults.rb                |    2 +-
 lib/puppet/ssl/certificate_request.rb |    2 +-
 lib/puppet/sslcertificates/ca.rb      |   14 ++++----------
 spec/integration/defaults_spec.rb     |    2 +-
 spec/unit/sslcertificates/ca_spec.rb  |   13 ++++++++++++-
 5 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 318ff41..972e9e6 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -268,7 +268,7 @@ module Puppet
 
     setdefaults(
     :ca,
-    :ca_name => ["$certname", "The name to use the Certificate Authority 
certificate."],
+    :ca_name => ["Puppet CA: $certname", "The name to use the Certificate 
Authority certificate."],
     :cadir => {  :default => "$ssldir/ca",
       :owner => "service",
       :group => "service",
diff --git a/lib/puppet/ssl/certificate_request.rb 
b/lib/puppet/ssl/certificate_request.rb
index e4d06a0..2f6cae3 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -29,7 +29,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     # Support either an actual SSL key, or a Puppet key.
     key = key.content if key.is_a?(Puppet::SSL::Key)
 
-    # If we're a CSR for the CA, then use the real certname, rather than the
+    # If we're a CSR for the CA, then use the real ca_name, rather than the
     # fake 'ca' name.  This is mostly for backward compatibility with 0.24.x,
     # but it's also just a good idea.
     common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name] : 
name
diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb
index 63e6b92..f3321bd 100644
--- a/lib/puppet/sslcertificates/ca.rb
+++ b/lib/puppet/sslcertificates/ca.rb
@@ -147,21 +147,19 @@ class Puppet::SSLCertificates::CA
 
   # Create the root certificate.
   def mkrootcert
-    # Make the root cert's name the FQDN of the host running the CA.
-    name = Facter["hostname"].value
+    # Make the root cert's name "Puppet CA: " plus the FQDN of the host 
running the CA.
+    name = "Puppet CA: #{Facter["hostname"].value}"
     if domain = Facter["domain"].value
       name += ".#{domain}"
     end
 
-          cert = Certificate.new(
-                
+    cert = Certificate.new(
       :name => name,
       :cert => @config[:cacert],
       :encrypt => @config[:capass],
       :key => @config[:cakey],
       :selfsign => true,
       :ttl => ttl,
-        
       :type => :ca
     )
 
@@ -241,19 +239,15 @@ class Puppet::SSLCertificates::CA
       f << "%04X" % (serial + 1)
     }
 
-
-          newcert = Puppet::SSLCertificates.mkcert(
-                
+    newcert = Puppet::SSLCertificates.mkcert(
       :type => :server,
       :name => csr.subject,
       :ttl => ttl,
       :issuer => @cert,
       :serial => serial,
-        
       :publickey => csr.public_key
     )
 
-
     sign_with_key(newcert)
 
     self.storeclientcert(newcert)
diff --git a/spec/integration/defaults_spec.rb 
b/spec/integration/defaults_spec.rb
index 4ae2983..1f90c7c 100755
--- a/spec/integration/defaults_spec.rb
+++ b/spec/integration/defaults_spec.rb
@@ -227,7 +227,7 @@ describe "Puppet defaults" do
 
   it "should have a :caname setting that defaults to the cert name" do
     Puppet.settings[:certname] = "foo"
-    Puppet.settings[:ca_name].should == "foo"
+    Puppet.settings[:ca_name].should == "Puppet CA: foo"
   end
 
   it "should have a 'prerun_command' that defaults to the empty string" do
diff --git a/spec/unit/sslcertificates/ca_spec.rb 
b/spec/unit/sslcertificates/ca_spec.rb
index aa7e25f..b1393b2 100644
--- a/spec/unit/sslcertificates/ca_spec.rb
+++ b/spec/unit/sslcertificates/ca_spec.rb
@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
-
 require File.dirname(__FILE__) + '/../../spec_helper'
+
 require 'puppet'
 require 'puppet/sslcertificates'
 require 'puppet/sslcertificates/ca'
@@ -95,5 +95,16 @@ describe Puppet::SSLCertificates::CA do
     it 'should store the public key' do
       File.exists?(Puppet[:capub]).should be_true
     end
+
+    it 'should prepend "Puppet CA: " to the fqdn as the ca_name by default' do
+      host_mock_fact = mock()
+      host_mock_fact.expects(:value).returns('myhost')
+      domain_mock_fact = mock()
+      domain_mock_fact.expects(:value).returns('puppetlabs.lan')
+      Facter.stubs(:[]).with('hostname').returns(host_mock_fact)
+      Facter.stubs(:[]).with('domain').returns(domain_mock_fact)
+
+      @ca.mkrootcert.name.should == 'Puppet CA: myhost.puppetlabs.lan'
+    end
   end
 end
-- 
1.7.3

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Developers" group.
To post to this group, send email to puppet-...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-dev?hl=en.