Generate the acceptance test CA with SAN

Modern tooling prefers the subjectAltName extension and the CN on a certificate is considered deprecated. Some tools even complain about this. However, the -addext command is unavailable on EL7 because openssl is too old.
theforeman · Mar 29, 2022 · 0f13703 · 0f13703
1 parent 3dd9f37
commit 0f13703
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp
@@ -45,13 +45,20 @@
 $client_cert = "${directory}/client-cert.pem"
 $client_key = "${directory}/client-key.pem"
 
+# EL7 lacks openssl -addext
+if $facts['os']['release']['major'] == '7' {
+  $ca_cmd = "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -keyout '${ca_key}' -out '${ca_cert}' -days 365"
+} else {
+  $ca_cmd = "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -addext 'subjectAltName = DNS:${facts['networking']['fqdn']}' -keyout '${ca_key}' -out '${ca_cert}' -days 365"
+}
+
 exec { 'Create certificate directory':
   command => "mkdir -p ${directory}",
   path    => ['/bin', '/usr/bin'],
   creates => $directory,
 }
 -> exec { 'Generate certificate':
-  command   => "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -keyout '${ca_key}' -out '${ca_cert}' -days 365",
+  command   => $ca_cmd,
   path      => ['/bin', '/usr/bin'],
   creates   => $ca_cert,
   logoutput => 'on_failure',