Actions
Bug #18149
closedPuppet CA returns invalid certificates if using organizational units in the distinguished name
Description
When setting up MCollective for orchestration, and signing client certificates into a separate OU, like the following;
# puppet cert --list --all | grep foreman-proxy.mcollective + "foreman-proxy.mcollective" (SHA256) ... # cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt | grep foreman-proxy.mcollective 0xffff 2017-01-17T13:08:26UTC 2022-01-17T13:08:26UTC /CN=foreman-proxy.mcollective/OU=mcollective
Then the returned JSON from the CA proxy fails to concatenate the data, resulting in output like the following;
"foreman-proxy.mcollective": { "fingerprint": "SHA256", "state": "valid" }, "foreman-proxy.mcollective/OU=mcollective": { "not_after": "2022-01-17T13:08:26UTC", "not_before": "2017-01-17T13:08:26UTC", "serial": 1449 },
When this invalid data finally makes it's way up to the Foreman web-UI, then the CA smart proxy page fails to render, which ends up as an inconvenience at best.
Attached is a workaround that has been tested on our Foreman instance, and successfully proven to work around the issue.
I'm unsure if the fix is the best - or even the correct - way to solve the issue however, so going to wait for a comment or two on it before throwing up a pull request for it.
Files
Actions