diff options
| author | Jacob Helwig <jacob@puppetlabs.com> | 2010-09-21 14:01:15 -0700 |
|---|---|---|
| committer | Markus Roberts <Markus@reality.com> | 2010-09-28 15:36:23 -0700 |
| commit | 66cf3a925b4b6d9b40cbdf95f2be6575bb05a881 (patch) | |
| tree | d79edb7a8867a2e748e9b6f8bd4f3e191ade3aad /lib | |
| parent | d54352a0cc305cfada05d9ecb927e79957c8d744 (diff) | |
| download | puppet-66cf3a925b4b6d9b40cbdf95f2be6575bb05a881.tar.gz puppet-66cf3a925b4b6d9b40cbdf95f2be6575bb05a881.tar.xz puppet-66cf3a925b4b6d9b40cbdf95f2be6575bb05a881.zip | |
Fix #4226 - Prepend 'Puppet CA: ' to fqdn for default root ca_name
Having a root ca_name that matches the fqdn of the puppet master would
cause certificate lookup problems on some clients, resulting in failed SSL
negotiation.
Signed-off-by: Jacob Helwig <jacob@puppetlabs.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/defaults.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_request.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 14 |
3 files changed, 6 insertions, 12 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 318ff416b..972e9e66c 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -268,7 +268,7 @@ module Puppet setdefaults( :ca, - :ca_name => ["$certname", "The name to use the Certificate Authority certificate."], + :ca_name => ["Puppet CA: $certname", "The name to use the Certificate Authority certificate."], :cadir => { :default => "$ssldir/ca", :owner => "service", :group => "service", diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb index e4d06a039..2f6cae3f5 100644 --- a/lib/puppet/ssl/certificate_request.rb +++ b/lib/puppet/ssl/certificate_request.rb @@ -29,7 +29,7 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base # Support either an actual SSL key, or a Puppet key. key = key.content if key.is_a?(Puppet::SSL::Key) - # If we're a CSR for the CA, then use the real certname, rather than the + # If we're a CSR for the CA, then use the real ca_name, rather than the # fake 'ca' name. This is mostly for backward compatibility with 0.24.x, # but it's also just a good idea. common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name] : name diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index 63e6b922a..f3321bd29 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -147,21 +147,19 @@ class Puppet::SSLCertificates::CA # Create the root certificate. def mkrootcert - # Make the root cert's name the FQDN of the host running the CA. - name = Facter["hostname"].value + # Make the root cert's name "Puppet CA: " plus the FQDN of the host running the CA. + name = "Puppet CA: #{Facter["hostname"].value}" if domain = Facter["domain"].value name += ".#{domain}" end - cert = Certificate.new( - + cert = Certificate.new( :name => name, :cert => @config[:cacert], :encrypt => @config[:capass], :key => @config[:cakey], :selfsign => true, :ttl => ttl, - :type => :ca ) @@ -241,19 +239,15 @@ class Puppet::SSLCertificates::CA f << "%04X" % (serial + 1) } - - newcert = Puppet::SSLCertificates.mkcert( - + newcert = Puppet::SSLCertificates.mkcert( :type => :server, :name => csr.subject, :ttl => ttl, :issuer => @cert, :serial => serial, - :publickey => csr.public_key ) - sign_with_key(newcert) self.storeclientcert(newcert) |