Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-3032

puppetserver ca generate always sets subject alternative name

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Froyo
    • Story Points:
      2
    • Sprint:
      Froyo - 7/14/2021
    • Method Found:
      Customer Feedback
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      `puppetserver ca generate` will no longer always error when `allow-subject-alt-names` is false.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 7.7.0
      Puppet Server Version: 7.2.0
      OS Name/Version: CentOS 7.9

      When using the puppetserver ca generate --certname <CERTNAME> command to generate a certificate, the new certificate has always the SAN attribute set to the DNS:<CERTNAME>.
      --subject-alt-names was not used on the CLI:

      # puppetserver ca generate --certname this-is-a-test.desy.de
      Successfully saved private key for this-is-a-test.desy.de to /etc/puppetlabs/puppet/ssl/private_keys/this-is-a-test.desy.de.pem
      Successfully saved public key for this-is-a-test.desy.de to /etc/puppetlabs/puppet/ssl/public_keys/this-is-a-test.desy.de.pem
      Error:
          When attempting to submit certificate request for 'this-is-a-test.desy.de', received:
            code: 400
            body: CSR 'this-is-a-test.desy.de' contains subject alternative names (DNS:this-is-a-test.desy.de), which are disallowed. To allow subject alternative names, set allow-subject-alt-names to true in your puppetserver.conf file, restart the puppetserver, and try signing this certificate again.
      

      We use the puppetserver ca generate feature to create some special certificates, which are not directly used or generated by a Puppet agent.

      Desired Behavior:
      puppetserver ca generate -certname <CERTNAME> should not set the SAN attribute without -subject-alt-names

      Actual Behavior:
      puppetserver ca generate --certname <CERTNAME> sets the SAN attribute by default to DNS:<CERTNAME> in the certificate.

        Attachments

          Activity

            People

            Assignee:
            maggie Maggie Dreyer
            Reporter:
            stdietrich Stefan Dietrich
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support