Project

General

Profile

Actions
Copy link

Feature #14882

open

Puppet CA signing should support --allow-dns-alt-names

Added by Robert Heinzmann almost 8 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
PuppetCA
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
https://github.com/theforeman/smart-proxy/pull/510
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When adding additional DNS names to the Puppet certificates, the signing needs extra parameters.

Foreman smart proxy should support "--allow-dns-alt-names" as an option in foreman.yaml.

Puppet config: 

[agent]
      dns_alt_names = webhook.server.example.com
[root@SERVER]# puppet cert sign "server.example.com" 
  Error: CSR 'server.example.com' contains subject alternative names (DNS:server.example.com, DNS:webhook.server.example.com), which are disallowed. Use `puppet cert --allow-dns-alt-names sign server.example.com` to sign this request.
[root@SERVER]# puppet cert sign --allow-dns-alt-names "server.example.com" 
  Notice: Signed certificate request for server.example.com
  Notice: Removing file Puppet::SSL::CertificateRequest server.example.com at '/var/lib/puppet/ssl_master/ca/requests/server.example.com.pem'

It seems puppet-proxy modules/puppetca/puppetca_main.rb does not add this option.

Release:

[root@puppet foreman-proxy]# rpm -qa | grep foreman-proxy
  foreman-proxy-1.11.1-1.el7.noarch
Actions
Copy link
 #1

Updated by Dominic Cleal almost 8 years ago

  • Project changed from Foreman to Smart Proxy
  • Subject changed from Smart Proxy should support --allow-dns-alt-names to Puppet CA signing should support --allow-dns-alt-names
  • Category changed from Smart Proxy to Puppet
Actions
Copy link
 #2

Updated by The Foreman Bot about 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/510 added
Actions
Copy link
 #3

Updated by Tomer Brisker over 6 years ago

  • Category changed from Puppet to PuppetCA
Actions
Copy link
 #4

Updated by Lukas Zapletal about 5 years ago

  • Tracker changed from Bug to Feature
  • Status changed from Ready For Testing to New
  • Difficulty deleted (easy)
  • Triaged changed from No to Yes

Thanks for the patch so far, this needs to be a configurable option, possibly with a list of hostnames as folks suggest. Please rebase, add config option, tests and reopen or file a new PR if you want this functionality.

Actions
Copy link

Also available in: Atom PDF