Puppet users - Dec 2007 - Creating certificates with puppetca with puppet.example.com as CommonName

Greetings!

As you undoubtedly know, the fixes for CVE 2007-5162 in ruby break
installations where puppetca has created certificates with a CommonName
different from the server's real hostname. The Puppet clients quite
correctly
complains about hostname mismatch.

A number of better and worse solutions have been suggested for this problem,
especially in ticket #896. IMHO, there are two good solutions: Make puppet
support SubjectAltName (there as patches for this in git, it seems), and/or
instruct puppetca to use a different CN than the server's hostname.

The last solution would be great - I'm even tempted to suggest that
puppetca's default CN should be puppet.example.com, since that's the
default
server hostname for clients.

In any case: Is it possible to create certificates with puppetca with a
custom CN, like puppet.example.com? We're running Debian Etch and are thus
using Puppet 0.20.1.

Cheers,
-Berge

-- 
Berge Schwebs Bjørlo
Alegría!
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Dec 7, 2007, at 8:18 PM, Berge Schwebs Bjørlo wrote:
>
> In any case: Is it possible to create certificates with puppetca  
> with a
> custom CN, like puppet.example.com? We''re running Debian Etch and
> are thus
> using Puppet 0.20.1.
Sure, just generate a cert with that name:

puppetca --generate <name>

I can''t promise that --generate existed in 0.20.1, but the certs are  
all backward compatible, so you could use a more recent version to  
generate the cert and use that cert with your older release.

  --
  Q.  Does Usenet help stamp out ignorance?
  A.  That depends on whether by "stamp out" you mean
"eliminate" or
      "reproduce rapidly in great quantity."
                  -- From the Usenet FAQ
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Sat, Dec 08, 2007 at 12:36:08PM -0600, Luke Kanies
wrote:
> Sure, just generate a cert with that name:
> 
> puppetca --generate <name>
Ah, great. But how do I tell puppetmaster to use that certificate?
> I can't promise that --generate existed in 0.20.1,
It did, thanks a lot.

Cheers,
-Berge

-- 
Berge Schwebs Bjørlo
Alegría!
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Dec 9, 2007, at 3:45 PM, Berge Schwebs Bjørlo wrote:
> On Sat, Dec 08, 2007 at 12:36:08PM -0600, Luke Kanies wrote:
>> Sure, just generate a cert with that name:
>>
>> puppetca --generate <name>
>
> Ah, great. But how do I tell puppetmaster to use that certificate?
Well, it looks for a cert based on its hostname, so just copy/move/ 
link it so its name matches the server''s name.  E.g., if the server  
is server1.domain.com, copy it to /etc/puppet/ssl/certs/ 
server1.domain.com or whatever.  You''ll need to do the same for the
key.

  --
  Nonreciprocal Laws of Expectations:
     Negative expectations yield negative results. Positive expectations
     yield negative results.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Mon, Dec 10, 2007 at 10:14:11AM -0600, Luke Kanies
wrote:
> Well, it looks for a cert based on its hostname, so just copy/move/ link it
> so its name matches the server's name.
Works like a charm, thanks again.

IMHO, this should be configurable from within the config files. Symlinking
(as I did) like this is not very portable, in case one ever wants to move the
service to a different box. If it were configurable, you could just move the
config files and certificates to the new box, update DNS and be ready to go.
Symlinking would be harder to keep track of.

Anyway, thanks again and have a splendid evening!

Cheers,
-Berge

-- 
Berge Schwebs Bjørlo
Alegría!
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

Berge Schwebs Bjørlo wrote:
> On Mon, Dec 10, 2007 at 10:14:11AM -0600, Luke Kanies wrote:
>> Well, it looks for a cert based on its hostname, so just copy/move/
link it
>> so its name matches the server's name.
> 
> Works like a charm, thanks again.
> 
> IMHO, this should be configurable from within the config files. Symlinking
> (as I did) like this is not very portable, in case one ever wants to move
the
> service to a different box. If it were configurable, you could just move
the
> config files and certificates to the new box, update DNS and be ready to
go.
> Symlinking would be harder to keep track of.
Actually, it already is, via the 'certname' parameter.  The --genconfig
option
is your friend =)

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Mon, Dec 10, 2007 at 03:05:44PM -0500, Frank Sweetser
wrote:
> Actually, it already is, via the 'certname' parameter.  The
--genconfig
> option is your friend =)
Ah, how nice. It seems to be missing in 0.20 (which is the version in Debian
Etch), but it's there in 0.23 (in Debian Lenny).

Cheers,
-Berge

-- 
Berge Schwebs Bjørlo
Alegría!
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users