Merge branch 'master' of ssh://reductivelabs.com/opt/rl/git/puppet

author: Luke Kanies <luke@madstop.com> 2007-12-11 11:57:16 -0600
committer: Luke Kanies <luke@madstop.com> 2007-12-11 11:57:16 -0600
commit: add245a12ae65b0254165d6724143e4be99387f8 (patch)
tree: 2f8e13cf5cfd5f6fb9f6b62e945130b157877f1d
parent: 1bbaf1833cd68220761ad47a5a0789d9eb2fa828 (diff)
parent: d9200a020075738c51af0c9269a40da23a17fd13 (diff)
download: puppet-add245a12ae65b0254165d6724143e4be99387f8.tar.gz
puppet-add245a12ae65b0254165d6724143e4be99387f8.tar.xz
puppet-add245a12ae65b0254165d6724143e4be99387f8.zip
5 files changed, 23 insertions, 10 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 3548d52d8..9011b4a62 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,13 @@
+    Modifying the behaviour of the certdnsnames setting.  It now defaults
+    to an empty string, and will only be used if it is set to something
+    else.  If it is set, then the host's FQDN will also be added as
+    an alias.  The default behaviour is now to add 'puppet' and
+    'puppet.$domain' as DNS aliases when the name for the cert being
+    signed is equal to the signing machine's name, which will only
+    be the case for CA servers.  This should result in servers always
+    having the alias set up and no one else, but you can still override
+    the aliases if you want.
+
     External node support now requires that you set the 'node_terminus'
     setting to 'exec'.  See the IndirectionReference on the wiki for more
     information.
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 2e0daf60f..c5902cea9 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -167,10 +167,9 @@ module Puppet
     Puppet.setdefaults(:ssl,
         :certname => [fqdn, "The name to use when handling certificates.  Defaults
             to the fully qualified domain name."],
-        :certdnsnames => ['*:*.*:*.*.*:*.*.*.*:*.*.*.*.*:*.*.*.*.*.*', "The DNS
-            names on the Server certificate as a colon-separated list.  Defaults
-            to wildcard match for all DNS names up to 6 dot-separated components
-            long."],
+        :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
+            If it's anything other than an empty string, it will be used as an alias in the created
+            certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
         :certdir => ["$ssldir/certs", "The certificate directory."],
         :publickeydir => ["$ssldir/public_keys", "The public key directory."],
         :privatekeydir => { :default => "$ssldir/private_keys",
diff --git a/lib/puppet/provider/service/freebsd.rb b/lib/puppet/provider/service/freebsd.rb
index 8076469e1..e5d0453c3 100644
--- a/lib/puppet/provider/service/freebsd.rb
+++ b/lib/puppet/provider/service/freebsd.rb
@@ -10,10 +10,6 @@ Puppet::Type.type(:service).provide :freebsd, :parent => :init do
     def self.defpath
         superclass.defpath
     end
-
-    if self.suitable?
-        Puppet.type(:service).newpath(:freebsd, defpath())
-    end
     
     # remove service file from rc.conf.d to disable it
     def disable
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index e9d544125..bd0ce8c92 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -61,7 +61,16 @@ module Puppet::SSLCertificates
             key_usage = %w{cRLSign keyCertSign}
         when :server:
             basic_constraint = "CA:FALSE"
-            hash[:dnsnames].split(':').each { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
+            dnsnames = Puppet[:certdnsnames]
+            name = hash[:name].to_s.sub(%r{/CN=},'')
+            if dnsnames != ""
+                dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
+                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+            elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
+                subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
+                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+                subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
+            end
             key_usage = %w{digitalSignature keyEncipherment}
             ext_key_usage = %w{serverAuth clientAuth}
         when :ocsp:
diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb
index 161eb11b3..a3edd2cb4 100644
--- a/lib/puppet/sslcertificates/ca.rb
+++ b/lib/puppet/sslcertificates/ca.rb
@@ -288,7 +288,6 @@ class Puppet::SSLCertificates::CA
         newcert = Puppet::SSLCertificates.mkcert(
             :type => :server,
             :name => csr.subject,
-            :dnsnames => Puppet[:certdnsnames],
             :ttl => ttl,
             :issuer => @cert,
             :serial => serial,
author	Luke Kanies <luke@madstop.com>	2007-12-11 11:57:16 -0600
committer	Luke Kanies <luke@madstop.com>	2007-12-11 11:57:16 -0600
commit	add245a12ae65b0254165d6724143e4be99387f8 (patch)
tree	2f8e13cf5cfd5f6fb9f6b62e945130b157877f1d
parent	1bbaf1833cd68220761ad47a5a0789d9eb2fa828 (diff)
parent	d9200a020075738c51af0c9269a40da23a17fd13 (diff)
download	puppet-add245a12ae65b0254165d6724143e4be99387f8.tar.gz puppet-add245a12ae65b0254165d6724143e4be99387f8.tar.xz puppet-add245a12ae65b0254165d6724143e4be99387f8.zip