Project

General

Profile

Bug #9605

Unable to install Foreman with dns_alt_names certificates when CA

Added by Benjamin Papillon about 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Hello,

There could be a change in the puppet behaviour regarding the use of alternate names in certificates.
The current installer use the following option to generate certificates that work with several names :
- Add the option "dns_alt_names = " in the main section of /etc/puppet/puppet.conf
- create certificate authority with # puppet cert -g $(facter fqdn)
I think this option has been retired from puppet as generated certificates don't have the dns_alt_names set. It can be verified with puppet cert print $(facter fqdn) or with openssl x509 -in <file> -text

The Current Puppet documentation clearly states disable CA (ca = false) then add option "dns_alt_names = " to /etc/puppet/puppet.conf :
Ref: https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#before-running-puppet-agent-or-puppet-master

In order to reproduce the problem, I can upload my vagrant files somewhere.

Benjamin

History

#1 Updated by Benjamin Papillon about 4 years ago

Note that puppet cert silently ignores dns_alt_names directive and does not fail with an error code != 0 when generating CA.

#2 Updated by Ewoud Kohl van Wijngaarden about 4 years ago

I recall there being something like --allow-dns-alt-names to explicitly allow it, but even though I added the options to the modules I never got around to fully automating it. The vagrant files would be helpful and if you could mention the puppet version used that would also help.

#3 Updated by Benjamin Papillon about 4 years ago

The option --allow-dns-alt-names is useful for signing the certificate requests with dns_alt option and on client side.
It is not supported with the puppet cert -g command.

I'm using Puppet from PuppetLabs repositories, currently 3.7.4.
Here are my vagrant file and provisioning scripts
https://antemeta.arcabox.net/invitations?invitation=da7a999c779cc6cb5500

Also available in: Atom PDF