diff options
| -rw-r--r-- | CHANGELOG | 5 | ||||
| -rw-r--r-- | lib/puppet/defaults.rb | 2 | ||||
| -rwxr-xr-x | lib/puppet/sslcertificates.rb | 24 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 1 |
4 files changed, 18 insertions, 14 deletions
@@ -1,3 +1,8 @@ + Certificates now always specify a subjectAltName, but it defaults + to '*', meaning that it doesn't require DNS names to match. You + can override that behaviour by specifying a value for + 'certdnsnames', which will then require that hostname as a match (#896). + Relationship metaparams (:notify, :require, :subscribe, and :before) now stack when they are collecting metaparam values from their containers (#446). For instance, if a resource diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 5914c3219..a3991bbaa 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -155,6 +155,8 @@ module Puppet Puppet.setdefaults(:ssl, :certname => [fqdn, "The name to use when handling certificates. Defaults to the fully qualified domain name."], + :certdnsnames => ['*', "The DNS names on the Server certificate as a colon- + separated list. Defaults to * (wildcard match for all names)."], :certdir => ["$ssldir/certs", "The certificate directory."], :publickeydir => ["$ssldir/public_keys", "The public key directory."], :privatekeydir => { :default => "$ssldir/private_keys", diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb index 45b9e7a72..1139db048 100755 --- a/lib/puppet/sslcertificates.rb +++ b/lib/puppet/sslcertificates.rb @@ -9,7 +9,7 @@ rescue LoadError end module Puppet::SSLCertificates - #def self.mkcert(type, name, ttl, issuercert, issuername, serial, publickey) + #def self.mkcert(type, name, dnsnames, ttl, issuercert, issuername, serial, publickey) def self.mkcert(hash) [:type, :name, :ttl, :issuer, :serial, :publickey].each { |param| unless hash.include?(param) @@ -39,6 +39,7 @@ module Puppet::SSLCertificates basic_constraint = nil key_usage = nil ext_key_usage = nil + subject_alt_name = [] ef = OpenSSL::X509::ExtensionFactory.new @@ -60,16 +61,17 @@ module Puppet::SSLCertificates key_usage = %w{cRLSign keyCertSign} when :server: basic_constraint = "CA:FALSE" + hash[:dnsnames].each(':') { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames] key_usage = %w{digitalSignature keyEncipherment} - ext_key_usage = %w{serverAuth clientAuth} + ext_key_usage = %w{serverAuth clientAuth} when :ocsp: basic_constraint = "CA:FALSE" key_usage = %w{nonRepudiation digitalSignature} - ext_key_usage = %w{serverAuth OCSPSigning} + ext_key_usage = %w{serverAuth OCSPSigning} when :client: basic_constraint = "CA:FALSE" key_usage = %w{nonRepudiation digitalSignature keyEncipherment} - ext_key_usage = %w{clientAuth emailProtection} + ext_key_usage = %w{clientAuth emailProtection} ex << ef.create_extension("nsCertType", "client,email") else raise Puppet::Error, "unknown cert type '%s'" % hash[:type] @@ -80,12 +82,9 @@ module Puppet::SSLCertificates ex << ef.create_extension("basicConstraints", basic_constraint, true) ex << ef.create_extension("subjectKeyIdentifier", "hash") - if key_usage - ex << ef.create_extension("keyUsage", key_usage.join(",")) - end - if ext_key_usage - ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) - end + ex << ef.create_extension("keyUsage", key_usage.join(",")) if key_usage + ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) if ext_key_usage + ex << ef.create_extension("subjectAltName", subject_alt_name.join(",")) if ! subject_alt_name.empty? #if @ca_config[:cdp_location] then # ex << ef.create_extension("crlDistributionPoints", @@ -99,10 +98,7 @@ module Puppet::SSLCertificates cert.extensions = ex # for some reason this _must_ be the last extension added - if hash[:type] == :ca - ex << ef.create_extension("authorityKeyIdentifier", - "keyid:always,issuer:always") - end + ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if hash[:type] == :ca return cert end diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index 39facdd48..e1b5f2386 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -278,6 +278,7 @@ class Puppet::SSLCertificates::CA newcert = Puppet::SSLCertificates.mkcert( :type => :server, :name => csr.subject, + :dnsnames => Puppet[:certdnsnames], :ttl => ttl, :issuer => @cert, :serial => serial, |