On Apr 27, 2009, at 5:04 PM, Matthew King wrote:
>
> For history, see:
>
> http://groups.google.com/group/puppet-dev/browse_thread/thread/8f3a4edbbcd65d59
> and probably http://projects.reductivelabs.com/issues/899 is the
> same issue
>
> The problem here is that certificates for the puppetmaster (acting as
> the CA) and the puppet client on the same machine have the same DN,
> namely CN=<fqdn>. The fix is to simply change the DN of the CA:
>
> --- /usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb~ 2008-07-08
> 14:46:19.000000000 +0100
> +++ /usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb 2009-04-27
> 15:55:54.000000000 +0100
> @@ -161,6 +161,7 @@
> end
> cert = Certificate.new(
> :name => name,
> + :ou => "PuppetCA",
> :cert => @config[:cacert],
> :encrypt => @config[:capass],
> :key => @config[:cakey],
>
> Whether the actual problem is in apache or puppet (ie. should apache
> understand that different certificates can have the same CA or is
> puppet
> breaking the spec by doing it?), this patch makes it go away. Of
> course
> all certificates will have to be recreated.
This seems reasonable, although shouldn't the ou actually be something
like the domain name, modified in some way?
Either way it's largely not used, so it doesn't really matter.
--
It's a small world, but I wouldn't want to paint it.
-- Stephen Wright
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
