[PUP-9481] Setting certname in multiple sections bypasses validation - Puppet Jira Server

XML

Word

Printable

Release Notes:
Bug Fix
Release Notes Summary:

Hide
Previously puppet only validated the "certname" setting if the was specified in the "main" setting, but not if the value was in a non-global setting such as "agent". As a result, it was possible to set the "certname" setting to a value containing uppercase letters, which prevented the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in.

Show
Previously puppet only validated the "certname" setting if the was specified in the "main" setting, but not if the value was in a non-global setting such as "agent". As a result, it was possible to set the "certname" setting to a value containing uppercase letters, which prevented the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in.

Puppet Version: 6.0.5
Puppet Server Version: N/A
OS Name/Version: Windows Server 2012, CentOS 7

When a config file is created with the certname setting on both the agent and main sections as follows:

[main]

certname = my-windows-server.puppet.com

[agent]

certname = MY-WINDOWS-SERVER.puppet.com

Puppet's validation that certnames must be lowercase if bypassed and allows for very broken certs to be generated

Desired Behavior: Cert generation fails with "Error: Could not initialize global default settings: Certificate names must be lower case"

Actual Behavior: Certs are generated with uppercase names

is duplicated by

PUP-10426 if certname entry is not in [main] section of puppet.conf file provide a warning

relates to

SERVER-1809 Uppercase characters in certname cause pain and suffering