Adding what is hopefully the last commit for #896. Here's the

changelog:

    Modifying the behaviour of the certdnsnames setting.  It now defaults
    to an empty string, and will only be used if it is set to something
    else.  If it is set, then the host's FQDN will also be added as
    an alias.  The default behaviour is now to add 'puppet' and
    'puppet.$domain' as DNS aliases when the name for the cert being
    signed is equal to the signing machine's name, which will only
    be the case for CA servers.  This should result in servers always
    having the alias set up and no one else, but you can still override
    the aliases if you want.

1 files changed, 10 insertions, 1 deletions

diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index e9d544125..bd0ce8c92 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -61,7 +61,16 @@ module Puppet::SSLCertificates
             key_usage = %w{cRLSign keyCertSign}
         when :server:
             basic_constraint = "CA:FALSE"
-            hash[:dnsnames].split(':').each { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
+            dnsnames = Puppet[:certdnsnames]
+            name = hash[:name].to_s.sub(%r{/CN=},'')
+            if dnsnames != ""
+                dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
+                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+            elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
+                subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
+                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+                subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
+            end
             key_usage = %w{digitalSignature keyEncipherment}
             ext_key_usage = %w{serverAuth clientAuth}
         when :ocsp: