-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was doing some thinking and reading through the posts on the Apache CRL issue with puppet and realized that people were suggesting changing the wrong host value.
Fundamentally, the CN in the CA cert is irrelevant. In theory, you never hit that server live so it makes no difference if it were all called "bob". So, at least in the 0.24.9 series, if you change line 158 of /usr/lib/ruby/site_ruby/1.8/puppet/sslcertificates/ca.rb From: name = Facter["hostname"].value To: name = Facter["hostname"].value + "-something_sane" Then the CA will use that entry when rebuilt. Obviously, this doesn't solve the issue with existing CA's but, if you can stomach blowing away your CA and re-building your certs, it'll solve the CRL problem from there on out. Thanks, Trevor - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: [email protected] phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMKk0QAAoJECNCGV1OLcypJV0IAJjmomY37D3IbAEPF0LjYOWK B4x4I8Ch6Kqn/sY9wl0aVCDWO0FCcO+wBTfrALq+8LMNB7Q/xnR/WplgPd4TH7fC ixwIEE+/rjS34rW4rdQ98oFH58wqYSV20ZoUcHOapGLQ/QhZJ1rwA5A14Jj0wm+O pmomeRSoo0Ev771iUXcaOfUZrimCzpK5m761e5+XEdqaBievYHuBo0rz16wX6Ec0 9S72yZZmZ10VtaT29OHBSDSL+GMIcJrV+LzGj+P+8zjw7bi0VHVqSFlspG3wL9fs 0Oqdxfs2yH8WQPHG5Ynj8zcGrxlxARboiUZ3y0PreyjHsIUtw1NHDhbtnqDDWNw= =4MW/ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
<<attachment: tvaughan.vcf>>
