Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rebuild Foreman infrastructure #1777
Rebuild Foreman infrastructure #1777
Changes from all commits
cc8c3e6
a0c6678
1b68136
1d09d67
606da54
6cbe265
6dfb0dc
f9243fc
32fd91e
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate a bit on this? You want to build a
foreman01.$hoster.theforeman.org
with a SAN offoreman.theforeman.org
and need this setting to allow it?Please be aware that someone (cough) found that this can open up a rather big can of worms (nothing checks the SAN when signing) and is thus not recommended by Puppet: "Be aware that enabling the setting could allow agent nodes to impersonate other nodes (including the nodes that already have signed certificates). Consequently, you must carefully inspect any CSRs with SANs attached."
Especially, Foreman doesn't show any SANs at all in the signing UI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I guess we can enable that, sign the cert for
foreman.tfm.o
and disable it again?)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right about that. The alternative I thought about was using Let's Encrypt for a proper URL. Tricky part there is access to it. Right now I have set up a firewall to only allow port 443 from the Puppetserver and my home network. I guess we could set up rules so that it does IP checks in Apache for everything except
/.well-known
or use DNS validation, but that's a lot trickier.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'd go with the easiest option, which to me seems to be "enable, sign, disable, (forget it 5 years)"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll opt to keep this in bootstrap for now, then when Puppet actually runs it should be disabled again.
This file was deleted.