+1
On Thu, Sep 23, 2010 at 4:04 PM, Jacob Helwig <ja...@puppetlabs.com> wrote:
> Having a root ca_name that matches the fqdn of the puppet master would
> cause certificate lookup problems on some clients, resulting in failed SSL
> negotiation.
>
> Signed-off-by: Jacob Helwig <ja...@puppetlabs.com>
> ---
> lib/puppet/defaults.rb | 2 +-
> lib/puppet/ssl/certificate_request.rb | 2 +-
> lib/puppet/sslcertificates/ca.rb | 14 ++++----------
> spec/integration/defaults_spec.rb | 2 +-
> spec/unit/sslcertificates/ca_spec.rb | 13 ++++++++++++-
> 5 files changed, 19 insertions(+), 14 deletions(-)
>
> diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
> index 318ff41..972e9e6 100644
> --- a/lib/puppet/defaults.rb
> +++ b/lib/puppet/defaults.rb
> @@ -268,7 +268,7 @@ module Puppet
>
> setdefaults(
> :ca,
> - :ca_name => ["$certname", "The name to use the Certificate Authority
> certificate."],
> + :ca_name => ["Puppet CA: $certname", "The name to use the Certificate
> Authority certificate."],
> :cadir => { :default => "$ssldir/ca",
> :owner => "service",
> :group => "service",
> diff --git a/lib/puppet/ssl/certificate_request.rb
> b/lib/puppet/ssl/certificate_request.rb
> index e4d06a0..2f6cae3 100644
> --- a/lib/puppet/ssl/certificate_request.rb
> +++ b/lib/puppet/ssl/certificate_request.rb
> @@ -29,7 +29,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
> # Support either an actual SSL key, or a Puppet key.
> key = key.content if key.is_a?(Puppet::SSL::Key)
>
> - # If we're a CSR for the CA, then use the real certname, rather than
> the
> + # If we're a CSR for the CA, then use the real ca_name, rather than
> the
> # fake 'ca' name. This is mostly for backward compatibility with
> 0.24.x,
> # but it's also just a good idea.
> common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name]
> : name
> diff --git a/lib/puppet/sslcertificates/ca.rb
> b/lib/puppet/sslcertificates/ca.rb
> index 63e6b92..f3321bd 100644
> --- a/lib/puppet/sslcertificates/ca.rb
> +++ b/lib/puppet/sslcertificates/ca.rb
> @@ -147,21 +147,19 @@ class Puppet::SSLCertificates::CA
>
> # Create the root certificate.
> def mkrootcert
> - # Make the root cert's name the FQDN of the host running the CA.
> - name = Facter["hostname"].value
> + # Make the root cert's name "Puppet CA: " plus the FQDN of the host
> running the CA.
> + name = "Puppet CA: #{Facter["hostname"].value}"
> if domain = Facter["domain"].value
> name += ".#{domain}"
> end
>
> - cert = Certificate.new(
> -
> + cert = Certificate.new(
> :name => name,
> :cert => @config[:cacert],
> :encrypt => @config[:capass],
> :key => @config[:cakey],
> :selfsign => true,
> :ttl => ttl,
> -
> :type => :ca
> )
>
> @@ -241,19 +239,15 @@ class Puppet::SSLCertificates::CA
> f << "%04X" % (serial + 1)
> }
>
> -
> - newcert = Puppet::SSLCertificates.mkcert(
> -
> + newcert = Puppet::SSLCertificates.mkcert(
> :type => :server,
> :name => csr.subject,
> :ttl => ttl,
> :issuer => @cert,
> :serial => serial,
> -
> :publickey => csr.public_key
> )
>
> -
> sign_with_key(newcert)
>
> self.storeclientcert(newcert)
> diff --git a/spec/integration/defaults_spec.rb
> b/spec/integration/defaults_spec.rb
> index 4ae2983..1f90c7c 100755
> --- a/spec/integration/defaults_spec.rb
> +++ b/spec/integration/defaults_spec.rb
> @@ -227,7 +227,7 @@ describe "Puppet defaults" do
>
> it "should have a :caname setting that defaults to the cert name" do
> Puppet.settings[:certname] = "foo"
> - Puppet.settings[:ca_name].should == "foo"
> + Puppet.settings[:ca_name].should == "Puppet CA: foo"
> end
>
> it "should have a 'prerun_command' that defaults to the empty string" do
> diff --git a/spec/unit/sslcertificates/ca_spec.rb
> b/spec/unit/sslcertificates/ca_spec.rb
> index aa7e25f..b1393b2 100644
> --- a/spec/unit/sslcertificates/ca_spec.rb
> +++ b/spec/unit/sslcertificates/ca_spec.rb
> @@ -1,6 +1,6 @@
> #!/usr/bin/env ruby
> -
> require File.dirname(__FILE__) + '/../../spec_helper'
> +
> require 'puppet'
> require 'puppet/sslcertificates'
> require 'puppet/sslcertificates/ca'
> @@ -95,5 +95,16 @@ describe Puppet::SSLCertificates::CA do
> it 'should store the public key' do
> File.exists?(Puppet[:capub]).should be_true
> end
> +
> + it 'should prepend "Puppet CA: " to the fqdn as the ca_name by
> default' do
> + host_mock_fact = mock()
> + host_mock_fact.expects(:value).returns('myhost')
> + domain_mock_fact = mock()
> + domain_mock_fact.expects(:value).returns('puppetlabs.lan')
> + Facter.stubs(:[]).with('hostname').returns(host_mock_fact)
> + Facter.stubs(:[]).with('domain').returns(domain_mock_fact)
> +
> + @ca.mkrootcert.name.should == 'Puppet CA: myhost.puppetlabs.lan'
> + end
> end
> end
> --
> 1.7.3
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To post to this group, send email to puppet-...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-dev+unsubscr...@googlegroups.com<puppet-dev%2bunsubscr...@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-dev?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
