Bug #9605
open
Unable to install Foreman with dns_alt_names certificates when CA
Description
Hello,
There could be a change in the puppet behaviour regarding the use of alternate names in certificates.
The current installer use the following option to generate certificates that work with several names :
- Add the option "dns_alt_names = " in the main section of /etc/puppet/puppet.conf
- create certificate authority with # puppet cert -g $(facter fqdn)
I think this option has been retired from puppet as generated certificates don't have the dns_alt_names set. It can be verified with puppet cert print $(facter fqdn) or with openssl x509 -in <file> -text
The Current Puppet documentation clearly states disable CA (ca = false) then add option "dns_alt_names = " to /etc/puppet/puppet.conf :
Ref: https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#before-running-puppet-agent-or-puppet-master
In order to reproduce the problem, I can upload my vagrant files somewhere.
Benjamin
Updated by Benjamin Papillon about 9 years ago
Note that puppet cert silently ignores dns_alt_names directive and does not fail with an error code != 0 when generating CA.
Updated by Ewoud Kohl van Wijngaarden about 9 years ago
I recall there being something like --allow-dns-alt-names to explicitly allow it, but even though I added the options to the modules I never got around to fully automating it. The vagrant files would be helpful and if you could mention the puppet version used that would also help.
Updated by Benjamin Papillon about 9 years ago
The option --allow-dns-alt-names is useful for signing the certificate requests with dns_alt option and on client side.
It is not supported with the puppet cert -g command.
I'm using Puppet from PuppetLabs repositories, currently 3.7.4.
Here are my vagrant file and provisioning scripts
https://antemeta.arcabox.net/invitations?invitation=da7a999c779cc6cb5500