diff options
| -rw-r--r-- | CHANGELOG | 10 | ||||
| -rw-r--r-- | lib/puppet/defaults.rb | 7 | ||||
| -rwxr-xr-x | lib/puppet/sslcertificates.rb | 11 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 1 |
4 files changed, 23 insertions, 6 deletions
@@ -1,3 +1,13 @@ + Modifying the behaviour of the certdnsnames setting. It now defaults + to an empty string, and will only be used if it is set to something + else. If it is set, then the host's FQDN will also be added as + an alias. The default behaviour is now to add 'puppet' and + 'puppet.$domain' as DNS aliases when the name for the cert being + signed is equal to the signing machine's name, which will only + be the case for CA servers. This should result in servers always + having the alias set up and no one else, but you can still override + the aliases if you want. + External node support now requires that you set the 'node_terminus' setting to 'exec'. See the IndirectionReference on the wiki for more information. diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 2e0daf60f..c5902cea9 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -167,10 +167,9 @@ module Puppet Puppet.setdefaults(:ssl, :certname => [fqdn, "The name to use when handling certificates. Defaults to the fully qualified domain name."], - :certdnsnames => ['*:*.*:*.*.*:*.*.*.*:*.*.*.*.*:*.*.*.*.*.*', "The DNS - names on the Server certificate as a colon-separated list. Defaults - to wildcard match for all DNS names up to 6 dot-separated components - long."], + :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list. + If it's anything other than an empty string, it will be used as an alias in the created + certificate. By default, only the server gets an alias set up, and only for 'puppet'."], :certdir => ["$ssldir/certs", "The certificate directory."], :publickeydir => ["$ssldir/public_keys", "The public key directory."], :privatekeydir => { :default => "$ssldir/private_keys", diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb index e9d544125..bd0ce8c92 100755 --- a/lib/puppet/sslcertificates.rb +++ b/lib/puppet/sslcertificates.rb @@ -61,7 +61,16 @@ module Puppet::SSLCertificates key_usage = %w{cRLSign keyCertSign} when :server: basic_constraint = "CA:FALSE" - hash[:dnsnames].split(':').each { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames] + dnsnames = Puppet[:certdnsnames] + name = hash[:name].to_s.sub(%r{/CN=},'') + if dnsnames != "" + dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d } + subject_alt_name << 'DNS:' + name # Add the fqdn as an alias + elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server + subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias + subject_alt_name << 'DNS:' + name # Add the fqdn as an alias + subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias + end key_usage = %w{digitalSignature keyEncipherment} ext_key_usage = %w{serverAuth clientAuth} when :ocsp: diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index 161eb11b3..a3edd2cb4 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -288,7 +288,6 @@ class Puppet::SSLCertificates::CA newcert = Puppet::SSLCertificates.mkcert( :type => :server, :name => csr.subject, - :dnsnames => Puppet[:certdnsnames], :ttl => ttl, :issuer => @cert, :serial => serial, |