Fix 14882 (http://projects.theforeman.org/issues/14882)

[elconas]

This one allows signing of DNS alt name requests

[theforeman-bot]

There were the following issues with the commit message:

• d8026b3 must be in the format fixes #redmine_number - brief description

If you don't have a ticket number, please create an issue in Redmine.

More guidelines are available in Coding Standards or on the Foreman wiki.

---

This message was auto-generated by Foreman's prprocessor

[theforeman-bot]

There were the following issues with the commit message:

• length of the first commit message line for e247362 exceeds 65 characters

If you don't have a ticket number, please create an issue in Redmine.

More guidelines are available in Coding Standards or on the Foreman wiki.

---

This message was auto-generated by Foreman's prprocessor

[ares]

ok to test or [test]

[dmitri-d]

Should we consider security issues associated with automatic enabling of alt-names in certificates? Perhaps this option should be requested explicitly in foreman ui/cli and passed on to smart-proxy? @domcleal, @brandonweeks -- thoughts?

[domcleal]

Yeah, it can't be enabled unilaterally - either via configuration and/or by request.

[elconas]

One addition, trusted extensions (https://docs.puppet.com/puppet/4.10/ssl_attributes_extensions.html#puppet-specific-registered-ids
( of certificate requests, (only visible via puppet cert list --verbose) whould also be visible / shown.

puppet cert list --verbose
  "testnode" (SHA256) 20:F5:18:7F:2A:5A:8C:3D:54:97:43:DF:9C:F1:6C:28:8E:D1:9B:AF:A0:E4:02:D1:04:D2:81:E4:D2:5D:7D:C6 (pp_cluster: "showcase", pp_environment: "development", pp_role: "webserver", pp_zone: "lan")

[dmitri-d]

@elconas: Are you planning on introducing a config option to enable/disable this feature?

[dmitri-d]

Alternatively, you could pass a request parameter to enable signing of alt name requests.

[ekohl]

I wonder if a list of allowed names would make sense.

[dmitri-d]

@elconas: are you planning to continue the work on this PR?

[elconas]

Another similar problem is that if you have trusted extension enabled (see https://docs.puppet.com/puppet/4.10/ssl_attributes_extensions.html) those are also not visible in the foreman gui):

puppet cert list --verbose cert.bla
  "cert.bla" (SHA256) CB:4D:11:62:74:1D:77:BE:E7:8E:A8:3D:62:ED:D1:C9:F2:70:EE:FE:ED:5F:1B:1F:6E:1A:61:4C:A9:C6:07:DC (alt names: "DNS:cert.bla", "DNS:devvm.vagrant.local", pp_cluster: "xxx", pp_environment: "development", pp_role: "yyyy", pp_zone: "lan", subjectAltName:)

So addressing this issue properly whould mean:

• Provide API Users a way to retrieve certificate extensions - short make the information available
• Provide Foreman Users a way to display extended certificate attributes (e.g. trusted facts and dns alt names) in the GUI and then assuming if the user clicks "sign" that he has verified this information (as of now). - short make the info visible

As I am not a Ruby on Rails developer, I am not able to provide a proper fix in an acceptable time :(

[gittygoo]

Much needed feature, manually patched this on a test server and seems to be working fine, with a few additions (showing the SAN's on the foreman cert table) this would be perfect. Thanks for doing this!

[lzap]

Thanks for the patch so far, this needs to be a configurable option, possibly with a list of hostnames as folks suggest. Please rebase, add config option, tests and reopen or file a new PR if you want this functionality. I am closing for now.