Adding what is hopefully the last commit for #896. Here's the

changelog: Modifying the behaviour of the certdnsnames setting. It now defaults to an empty string, and will only be used if it is set to something else. If it is set, then the host's FQDN will also be added as an alias. The default behaviour is now to add 'puppet' and 'puppet.$domain' as DNS aliases when the name for the cert being signed is equal to the signing machine's name, which will only be the case for CA servers. This should result in servers always having the alias set up and no one else, but you can still override the aliases if you want.
author: Luke Kanies <luke@madstop.com> 2007-12-11 11:51:54 -0600
committer: Luke Kanies <luke@madstop.com> 2007-12-11 11:51:54 -0600
commit: d9200a020075738c51af0c9269a40da23a17fd13 (patch)
tree: b18986aff394ce9f4880d57ac2c4893290b6d324
parent: 74db7772df856bac39081df9bd006c20c7175ec7 (diff)
download: puppet-d9200a020075738c51af0c9269a40da23a17fd13.tar.gz
puppet-d9200a020075738c51af0c9269a40da23a17fd13.tar.xz
puppet-d9200a020075738c51af0c9269a40da23a17fd13.zip
4 files changed, 23 insertions, 6 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 3548d52d8..9011b4a62 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,13 @@
+    Modifying the behaviour of the certdnsnames setting.  It now defaults
+    to an empty string, and will only be used if it is set to something
+    else.  If it is set, then the host's FQDN will also be added as
+    an alias.  The default behaviour is now to add 'puppet' and
+    'puppet.$domain' as DNS aliases when the name for the cert being
+    signed is equal to the signing machine's name, which will only
+    be the case for CA servers.  This should result in servers always
+    having the alias set up and no one else, but you can still override
+    the aliases if you want.
+
     External node support now requires that you set the 'node_terminus'
     setting to 'exec'.  See the IndirectionReference on the wiki for more
     information.
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 2e0daf60f..c5902cea9 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -167,10 +167,9 @@ module Puppet
     Puppet.setdefaults(:ssl,
         :certname => [fqdn, "The name to use when handling certificates.  Defaults
             to the fully qualified domain name."],
-        :certdnsnames => ['*:*.*:*.*.*:*.*.*.*:*.*.*.*.*:*.*.*.*.*.*', "The DNS
-            names on the Server certificate as a colon-separated list.  Defaults
-            to wildcard match for all DNS names up to 6 dot-separated components
-            long."],
+        :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
+            If it's anything other than an empty string, it will be used as an alias in the created
+            certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
         :certdir => ["$ssldir/certs", "The certificate directory."],
         :publickeydir => ["$ssldir/public_keys", "The public key directory."],
         :privatekeydir => { :default => "$ssldir/private_keys",
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index e9d544125..bd0ce8c92 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -61,7 +61,16 @@ module Puppet::SSLCertificates
             key_usage = %w{cRLSign keyCertSign}
         when :server:
             basic_constraint = "CA:FALSE"
-            hash[:dnsnames].split(':').each { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
+            dnsnames = Puppet[:certdnsnames]
+            name = hash[:name].to_s.sub(%r{/CN=},'')
+            if dnsnames != ""
+                dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
+                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+            elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
+                subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
+                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+                subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
+            end
             key_usage = %w{digitalSignature keyEncipherment}
             ext_key_usage = %w{serverAuth clientAuth}
         when :ocsp:
diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb
index 161eb11b3..a3edd2cb4 100644
--- a/lib/puppet/sslcertificates/ca.rb
+++ b/lib/puppet/sslcertificates/ca.rb
@@ -288,7 +288,6 @@ class Puppet::SSLCertificates::CA
         newcert = Puppet::SSLCertificates.mkcert(
             :type => :server,
             :name => csr.subject,
-            :dnsnames => Puppet[:certdnsnames],
             :ttl => ttl,
             :issuer => @cert,
             :serial => serial,
author	Luke Kanies <luke@madstop.com>	2007-12-11 11:51:54 -0600
committer	Luke Kanies <luke@madstop.com>	2007-12-11 11:51:54 -0600
commit	d9200a020075738c51af0c9269a40da23a17fd13 (patch)
tree	b18986aff394ce9f4880d57ac2c4893290b6d324
parent	74db7772df856bac39081df9bd006c20c7175ec7 (diff)
download	puppet-d9200a020075738c51af0c9269a40da23a17fd13.tar.gz puppet-d9200a020075738c51af0c9269a40da23a17fd13.tar.xz puppet-d9200a020075738c51af0c9269a40da23a17fd13.zip