On Sep 18, 2009, at 12:37 AM, Brice Figureau wrote: > > On Thu, 2009-09-17 at 17:30 -0700, Luke Kanies wrote: >> We still look for certificates/keys/etc named "ca", but the >> cert itself uses the certname of the host that functions as the >> CA. > > Are you sure it solves #2617?
Well, I tested it by creating the cert with 0.24.8 and then starting a 0.25 server with both a 0.25 client and a 0.24.8 client. > > The only thing it does to me is making sure CA certs use the certname > when they get created. > In our specific case, the issue is that the client thinks that a given > CA cert with a name different than "ca" (ie generated by 0.24) is a > regular certificate and not a CA cert. > I'd thought you also change the Ssl_file to "detect" CA not only by > their name but also by their basicConstraint properties. In the > current > system, a cert sent by the master is saved locally under its certname, > not under the "ca" name because the transmitted request.key is the > certname. We looked into multiple ways of fixing the problem, including the kind of detection you mention, but in the end, the CN in the CA cert is only used in two places that I could find - when we create the CSR, and when the actual auth happens at the https layer. In other words, finding and saving the cert are all done by file location and the string 'ca', so the CN doesn't matter there, and the https layers don't care where the file was stored, so it's just a question of slightly separating them. > > Another issue, is that it also re-opens #899, which was certainly > fixed > in 0.25 because of the name change (but that's minor, people can use > non-bugged software for CRL functionnalities :-)). Hmm. You are correct. And I don't think it's quite enough to just tell people not to use mod_ssl. I'll continue thinking about it and see if I can come up with a different solution that fixes both problems. -- Getting caught is the mother of invention. --Robert Byrne --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
