More sensible default for dns_alt_names
|Affected Puppet version:||2.7.6||Branch:|
I’m tired of running into this bug every single time I create a new install of Puppet. Please make the default for dns_alt_names=“puppet”, or “puppet,
hostname” or “puppet,puppet.
facter domain” or something. Puppet doesn’t “just work” with the defaults. This single stupid thing causes a lot of frustration and questions from new users, most of which really don’t give a crap about PKI, wasting their time and that of people trying to troubleshoot and explain it. There are questions all over the web and IRC and probably email.
Maybe this has already been fixed, I dunno, I couldn’t even find the latest Puppet version number on the new commercialized web site. Just Puppet Enterprise 2.5, which is even older than what I have…it used to be easy to navigate. If it’s been fixed, awesome. Cheers.
#1 Updated by eric sorenson 10 months ago
- Status changed from Unreviewed to Rejected
There’s actually logic to set exactly this, in lib/puppet/ssl/host.rb. If we’re autogenerating a CSR on a host which also a CA (i.e. a brand new puppetmaster) it puts
puppet, $fqdn puppet.$domain in the dnsAltNames field. In a quick test, this code appears to be doing the right thing:
[root@master /tmp]# puppet master --no-daemonize --debug --confdir=/tmp --ssldir=/tmp/ssl --user=pe-puppet --group=pe-puppet [root@master /tmp/ssl/certs]# openssl x509 -noout -text -in master.puppetlabs.lan.pem X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Subject Alternative Name: DNS:master.puppetlabs.lan, DNS:puppet, DNS:puppet.puppetlabs.lan
I agree that SSL issues are way less user-delightful than they ought to be, but this part of the system seems to work as intended.