Feature #10169
ca_name default value is misleading and can cause problems.
| Status: | Needs More Information | Start date: | 10/19/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | SSL | |||
| Target version: | 3.x | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
Description
The default value for the $ca_name configuration setting is somewhat misleading:
:ca_name => ["Puppet CA: $certname", "The name to use the Certificate Authority certificate."],
This makes it look like the certname is an important attribute when it isn’t, and it’s even more misleading when the certname is the fqdn.
This also means that the name doesn’t change when you start up an entire new CA on the same host, which can cause problems for clients who have the previous CA cached.
I suggest we incorporate a timestamp and clean up the string so it’s more accurate, like:
Puppet CA: Generated on $fqdn at $timestamp
like:
Puppet CA: Generated on puppet.mydomain.coma at 2011-10-19
I don’t believe we need the timestamp to be finer grained than one day, but feedback welcome.
“Generated” may not be the most appropriate word here.
History
#1
Updated by Nigel Kersten over 1 year ago
- Description updated (diff)
updated description given it’s the certname that is used, not the fqdn.
#2
Updated by Nick Fagerlund over 1 year ago
I say “created” over “generated;” other than that, I’m all about this plan.
#3
Updated by Nick Fagerlund over 1 year ago
(And to capture something I realized when we were talking about it: the master’s certname has nothing to do with the CA’s identity, it just happens to be part of its history.)