-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's actually not in the lists that I could find, it's buried in Redmine.
It fixes the issue because of the way Apache works. Apache tries to validate the sig on the CRL and, of course, picks up the items by a hash of the DN, just like most OpenSSL apps (OpenLDAP, etc...). So, by changing the name in the case of the CA, the DN then hashes to a different value and you no longer have a conflict with the proper puppetmaster/client cert on the system. Trevor On 06/29/2010 08:45 PM, Jeff McCune wrote: > On Tue, Jun 29, 2010 at 12:44 PM, Trevor Vaughan <[email protected]> > wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I was doing some thinking and reading through the posts on the Apache >> CRL issue with puppet and realized that people were suggesting changing >> the wrong host value. >> >> Fundamentally, the CN in the CA cert is irrelevant. In theory, you never >> hit that server live so it makes no difference if it were all called "bob". > > In fact, the key usage x.509 attributes should prevent the CA > certificate from being use as an SSL server certificate entirely. The > CA certificate CN field has nothing to do with hostname as far as > validation is concerned, unlike an SSL server certificate. > >> Obviously, this doesn't solve the issue with existing CA's but, if you >> can stomach blowing away your CA and re-building your certs, it'll solve >> the CRL problem from there on out. > > I'm getting up to speed. Why does this solve the CRL problem? If > you'd rather not explain, I'll go dig through the lists. > - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: [email protected] phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMKpejAAoJECNCGV1OLcypUOYIAJdnZdTdkvBj+j52Mxkyl4Kr arrmrQwE6DaHhqy/SVI/k+BKRx7qre0XhR392gPWXG/xDlbD/Qptb7eXERxYJp2l XsOUkL0bK8zWTKkUCu831kKgoauf1YMbp+6Rg7oWXPmd4XNA+3V7FpyfVcZYePeZ 1l8FDZ1/AgPNXs5KL+WbsgDqA/hmJkHdbAT9ip7V1HWwzoo+2+ClLpv12rMweHNo ia1wlIFq3uVeQWiGxUW9tziENwh6RD0/FGjKWQj9dfv3RR1nxke+M/zy5bpjziKP dbZuyKuhCaKofySPaWmT6jLKNKrbTaceHrh5hjvuOe95dxhjwipuAVOGa9SnCHs= =90J6 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
<<attachment: tvaughan.vcf>>
