Bug #27847: foreman-proxy-certs-generate uses a value for --foreman-proxy-cname to add a DNS record even if it is invalid - Installer - Foreman

Actions

Copy link

Bug #27847

closed

foreman-proxy-certs-generate uses a value for --foreman-proxy-cname to add a DNS record even if it is invalid

Added by Ewoud Kohl van Wijngaarden over 5 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Ewoud Kohl van Wijngaarden

Category:

Foreman modules

Target version:

Foreman - 1.24.0

Difficulty:

Triaged:

Yes

Bugzilla link:

1747581

Pull request:

https://github.com/theforeman/puppet-certs/pull/256, https://github.com/theforeman/puppet-certs/pull/259, https://github.com/theforeman/foreman-installer/pull/397, https://github.com/theforeman/puppet-certs/pull/260

Fixed in Releases:

Foreman - 1.24.0

Found in Releases:

Red Hat JIRA:

Description

foreman-proxy-certs-generate uses the value for --foreman-proxy-cname to add a DNS record in the SAN field regardless of that setting making sense or not. E.g. DNS:[] and DNS: <= empty string.

This is what foreman-proxy-certs-generate is generating for qpid-router-server.crt: (used by capsules' qdrouterd on port 5647 to listen to clients' goferds)

X509v3 Subject Alternative Name: 
                DNS:mycapsule.example.com, DNS:[]

The DNS:[] comes from the default value for --foreman-proxy-cname:
~~~
[root@sat65a ~]# foreman-proxy-certs-generate --help

(...snip...)

= Module foreman_proxy_certs:
--certs-tar Path to tar file with certs to generate (current: UNDEF)
--foreman-proxy-cname additional names of the foreman proxy (current: ["[]"]) <========= here
--foreman-proxy-fqdn FQDN of the foreman proxy (current: "sat65a.usersys.redhat.com")

Turns out, if you use `--foreman-proxy-cname ""` with `foreman-proxy-certs-generate` it will still generate certs with DNS:<fqdn>, DNS: <==== second DNS entry empty.

The problem is that puppet-strings parses the default as the string "[]" rather than an empty array [].