Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Froyo
-
2
-
Froyo - 7/14/2021
-
Customer Feedback
-
Bug Fix
-
`puppetserver ca generate` will no longer always error when `allow-subject-alt-names` is false.
-
Needs Assessment
Description
Puppet Version: 7.7.0
Puppet Server Version: 7.2.0
OS Name/Version: CentOS 7.9
When using the puppetserver ca generate --certname <CERTNAME> command to generate a certificate, the new certificate has always the SAN attribute set to the DNS:<CERTNAME>.
--subject-alt-names was not used on the CLI:
# puppetserver ca generate --certname this-is-a-test.desy.de
|
Successfully saved private key for this-is-a-test.desy.de to /etc/puppetlabs/puppet/ssl/private_keys/this-is-a-test.desy.de.pem
|
Successfully saved public key for this-is-a-test.desy.de to /etc/puppetlabs/puppet/ssl/public_keys/this-is-a-test.desy.de.pem
|
Error:
|
When attempting to submit certificate request for 'this-is-a-test.desy.de', received:
|
code: 400
|
body: CSR 'this-is-a-test.desy.de' contains subject alternative names (DNS:this-is-a-test.desy.de), which are disallowed. To allow subject alternative names, set allow-subject-alt-names to true in your puppetserver.conf file, restart the puppetserver, and try signing this certificate again.
|
We use the puppetserver ca generate feature to create some special certificates, which are not directly used or generated by a Puppet agent.
Desired Behavior:
puppetserver ca generate -certname <CERTNAME> should not set the SAN attribute without -subject-alt-names
Actual Behavior:
puppetserver ca generate --certname <CERTNAME> sets the SAN attribute by default to DNS:<CERTNAME> in the certificate.