Fix #4226 - Prepend 'Puppet CA: ' to fqdn for default root ca_name

Having a root ca_name that matches the fqdn of the puppet master would
cause certificate lookup problems on some clients, resulting in failed SSL
negotiation.

Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>

5 files changed, 19 insertions, 14 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 318ff416b..972e9e66c 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -268,7 +268,7 @@ module Puppet
 
     setdefaults(
     :ca,
-    :ca_name => ["$certname", "The name to use the Certificate Authority certificate."],
+    :ca_name => ["Puppet CA: $certname", "The name to use the Certificate Authority certificate."],
     :cadir => {  :default => "$ssldir/ca",
       :owner => "service",
       :group => "service",
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index e4d06a039..2f6cae3f5 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -29,7 +29,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     # Support either an actual SSL key, or a Puppet key.
     key = key.content if key.is_a?(Puppet::SSL::Key)
 
-    # If we're a CSR for the CA, then use the real certname, rather than the
+    # If we're a CSR for the CA, then use the real ca_name, rather than the
     # fake 'ca' name.  This is mostly for backward compatibility with 0.24.x,
     # but it's also just a good idea.
     common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name] : name
diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb
index 63e6b922a..f3321bd29 100644
--- a/lib/puppet/sslcertificates/ca.rb
+++ b/lib/puppet/sslcertificates/ca.rb
@@ -147,21 +147,19 @@ class Puppet::SSLCertificates::CA
 
   # Create the root certificate.
   def mkrootcert
-    # Make the root cert's name the FQDN of the host running the CA.
-    name = Facter["hostname"].value
+    # Make the root cert's name "Puppet CA: " plus the FQDN of the host running the CA.
+    name = "Puppet CA: #{Facter["hostname"].value}"
     if domain = Facter["domain"].value
       name += ".#{domain}"
     end
 
-          cert = Certificate.new(
-                
+    cert = Certificate.new(
       :name => name,
       :cert => @config[:cacert],
       :encrypt => @config[:capass],
       :key => @config[:cakey],
       :selfsign => true,
       :ttl => ttl,
-        
       :type => :ca
     )
 
@@ -241,19 +239,15 @@ class Puppet::SSLCertificates::CA
       f << "%04X" % (serial + 1)
     }
 
-
-          newcert = Puppet::SSLCertificates.mkcert(
-                
+    newcert = Puppet::SSLCertificates.mkcert(
       :type => :server,
       :name => csr.subject,
       :ttl => ttl,
       :issuer => @cert,
       :serial => serial,
-        
       :publickey => csr.public_key
     )
 
-
     sign_with_key(newcert)
 
     self.storeclientcert(newcert)
diff --git a/spec/integration/defaults_spec.rb b/spec/integration/defaults_spec.rb
index 4ae2983f4..1f90c7cbc 100755
--- a/spec/integration/defaults_spec.rb
+++ b/spec/integration/defaults_spec.rb
@@ -227,7 +227,7 @@ describe "Puppet defaults" do
 
   it "should have a :caname setting that defaults to the cert name" do
     Puppet.settings[:certname] = "foo"
-    Puppet.settings[:ca_name].should == "foo"
+    Puppet.settings[:ca_name].should == "Puppet CA: foo"
   end
 
   it "should have a 'prerun_command' that defaults to the empty string" do
diff --git a/spec/unit/sslcertificates/ca_spec.rb b/spec/unit/sslcertificates/ca_spec.rb
index aa7e25ff3..b1393b25d 100644
--- a/spec/unit/sslcertificates/ca_spec.rb
+++ b/spec/unit/sslcertificates/ca_spec.rb
@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
-
 require File.dirname(__FILE__) + '/../../spec_helper'
+
 require 'puppet'
 require 'puppet/sslcertificates'
 require 'puppet/sslcertificates/ca'
@@ -95,5 +95,16 @@ describe Puppet::SSLCertificates::CA do
     it 'should store the public key' do
       File.exists?(Puppet[:capub]).should be_true
     end
+
+    it 'should prepend "Puppet CA: " to the fqdn as the ca_name by default' do
+      host_mock_fact = mock()
+      host_mock_fact.expects(:value).returns('myhost')
+      domain_mock_fact = mock()
+      domain_mock_fact.expects(:value).returns('puppetlabs.lan')
+      Facter.stubs(:[]).with('hostname').returns(host_mock_fact)
+      Facter.stubs(:[]).with('domain').returns(domain_mock_fact)
+
+      @ca.mkrootcert.name.should == 'Puppet CA: myhost.puppetlabs.lan'
+    end
   end
 end