Hello, I'm currently integrating puppet with an external openssl based PKI and I stumbled across a problem which looks like it may be a bug in puppet.
All my certificates contain an emailAddress field in the subject. Here it is in the default format: % openssl x509 -in mir.example.net.pem -noout -text -subject subject= /C=UK/ST=Greater London/O=example/CN=mir.example.net/emailAddress=syst...@example.net When I run puppet with stock auth.conf I get the following error message: err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: mir.example.net/emailAddress=syst...@example.net(46.4.3.59) access to /catalog/mir.example.net [find] authenticated at line 52 If I modify my auth.conf to: path ~ ^/catalog/([^/]+)$ method find #allow $1 allow /$1\/email/ It works fine: info: Caching catalog for mir.example.net info: Applying configuration version '1338465941' notice: Finished catalog run in 0.08 seconds It looks like puppet is interpreting emailAddress as a part of the CN (which it isn't). Outputting the subject in rfc2253 format makes it a bit clearer: % openssl x509 -in mir.example.net.pem -noout -text -subject -nameopt RFC2253 subject= emailAddress=syst...@example.net,CN=mir.example.net,O=example,ST=Greater London,C=UK Has anyone else come across this? Shall I open a bug or am I doing something stupid here? As far as I'm aware OpenSSL will put email address in the subject line by default, unless explicitly disabled. I'm running puppet-2.7.14 on FreeBSD 9.0 behind Apache and Passenger Cheers, Andrew. -- [ a...@zx23.net ] -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
