Project

Profile

Help

Issue #926

default value of server_name config is inconsistent between systems

Added by dkliban@redhat.com over 4 years ago. Updated 9 months ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
2.7.2
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

As you can see here [0] the default value for server_name is generated using socket module.

socket.gethostname()

It has come to my attention that the value returned by the above code could sometimes be a short hostname or an FQDN. In order to ensure consistency we should start using:

socket.getfqdn()

We should also change this line [1] in pulp-get-ca-certificate to:

CN=`hostname --fqdn`

[0] https://github.com/pulp/pulp/blob/master/server/pulp/server/config.py#L74
[1] https://github.com/pulp/pulp/blob/master/server/bin/pulp-gen-ca-certificate#L29

Associated revisions

Revision dcdb09e0 View on GitHub
Added by dkliban@redhat.com over 4 years ago

Set server_name to FQDN for default server config

The server_name and the CN in certificates generated by pulp-gen-ca-certificate is
the fully qualified domain name (FQDN).

https://pulp.plan.io/issues/926

fixes #926

More docs

Revision dcdb09e0 View on GitHub
Added by dkliban@redhat.com over 4 years ago

Set server_name to FQDN for default server config

The server_name and the CN in certificates generated by pulp-gen-ca-certificate is
the fully qualified domain name (FQDN).

https://pulp.plan.io/issues/926

fixes #926

More docs

History

#6 Updated by mhrivnak over 4 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes
  • Tags Easy Fix added

Fix in 2.6 if applicable.

#7 Updated by bmbouter over 4 years ago

This should be done in a Y release and a release note added that certificates may need to be regenerated to use a FQDN and any pulp-admin clients should adjust their admin.conf to use the FQDN.

After some discussion, the change to pulp-gen-ca-certificate should not present any backwards compatibility issues because its a self-signed CA cert. It's also not used to sign the httpd certs.

#8 Updated by rbarlow over 4 years ago

On 05/04/2015 03:04 PM, Pulp wrote:

This should be done in a Y release and a release note added that
certificates may need to be regenerated to use a FQDN.

Alternatively, users who are affected should be able to configure
admin.conf to use the hostname that they had been using before to avoid
regenerating the SSL certificates. This may be worth mentioning in the
release notes as well.

#9 Updated by dkliban@redhat.com over 4 years ago

  • Status changed from NEW to ASSIGNED
  • Platform Release set to 2.7.0

#10 Updated by dkliban@redhat.com over 4 years ago

  • Assignee set to dkliban@redhat.com

#11 Updated by dkliban@redhat.com over 4 years ago

  • Status changed from ASSIGNED to MODIFIED
  • % Done changed from 0 to 100

#12 Updated by dkliban@redhat.com over 4 years ago

  • Status changed from MODIFIED to ON_QA

#13 Updated by dkliban@redhat.com over 4 years ago

There is not currently a good way to see what the default hostname is set to. However, if you modify the client config (/etc/pulp/admin/admin.conf) and set 'host' in 'server' section to 'localhost' then you will get a mismatch between the hostname in the CA and the host that the client is trying to connect to. So then when you attempt to login using pulp-admin you will get a message similar to

The server hostname configured on the client did not match the name found in the
server's SSL certificate. The client attempted to connect to [localhost] but the
server returned [dev.example.com] as its hostname. The expected hostname can be changed in
the client configuration file.

The server should always return the same thing as the output of following command:

hostname -f

This should be tested on multiple operating systems.

#14 Updated by Skullman over 4 years ago

  • QA Contact set to Skullman

#15 Updated by Skullman over 4 years ago

  • Status changed from ON_QA to ASSIGNED

#17 Updated by Skullman over 4 years ago

  • QA Contact deleted (Skullman)

#18 Updated by amacdona@redhat.com about 4 years ago

  • Platform Release changed from 2.7.0 to 2.7.1

#19 Updated by amacdona@redhat.com about 4 years ago

  • Platform Release changed from 2.7.1 to 2.7.2

#20 Updated by dkliban@redhat.com about 3 years ago

  • Status changed from ASSIGNED to NEW

#21 Updated by dkliban@redhat.com about 3 years ago

  • Assignee deleted (dkliban@redhat.com)

#22 Updated by bmbouter 9 months ago

  • Status changed from NEW to CLOSED - WONTFIX

#23 Updated by bmbouter 9 months ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#24 Updated by bmbouter 9 months ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF