ReleaseEngineering/PuppetAgain/Certificate Chaining: Difference between revisions

ReleaseEngineering/PuppetAgain/Certificate Chaining (view source)

399 bytes added , 24 May 2012

add note about ruby bug, workaround in commands

canmove, Confirmed users

1,394

edits

@@ Line 190: / Line 190: @@
 keyUsage = keyEncipherment, digitalSignature
 extendedKeyUsage = serverAuth, clientAuth
-subjectAltName = DNS:puppet
+# include the fqdn here to work around https://bugs.ruby-lang.org/issues/6493
+subjectAltName = DNS:puppet,DNS:puppetmaster.fully.qualified.name
 </pre>
@@ Line 290: / Line 291: @@
 * note that in a certdir, certificates are hashed with an extension of '.0' (or .1 and so on if there are collisions), while CRLs are hashed with an extension ending of '.r0' (or .r1, ..).  This is not obvious *anywhere* except in the output of a 'strace' of Apache (seriously).
 * Apache only checks CRLs that it can find; a CA certificate without a corresponding CRL is assumed to have no revoked certificates.  This can be helpful if you do not want to worry about expired CRLs, but could also be a security problem if you're not careful.
+* Ruby's OpenSSL::SSL class ignores the distinguished name on a certificate if there are subjectAltNames defined.  This matters for server certs, which must thus include both their fqdn and 'puppet' if they are to be usable at both names.  See https://bugs.ruby-lang.org/issues/6493
 * CRLs potentially expire very quickly.  If you don't have plans in place to automatically regenerate CRLs, pick a very long expiration time for them (default_crl_days in openssl.conf).