Generate the acceptance test CA with SAN #253
Conversation
Modern tooling prefers the subjectAltName extension and the CN on a certificate is considered deprecated. Some tools even complain about this. However, the -addext command is unavailable on EL7 because openssl is too old.
ekohl
force-pushed
the
generate-with-ssl-san
branch
from
98dac20 to
0f13703
Compare
| @@ -45,13 +45,20 @@ | |||
| $client_cert = "${directory}/client-cert.pem" | |||
| $client_key = "${directory}/client-key.pem" | |||
|
|
|||
| # EL7 lacks openssl -addext | |||
| if $facts['os']['release']['major'] == '7' { | |||
| $ca_cmd = "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -keyout '${ca_key}' -out '${ca_cert}' -days 365" | |||
There was a problem hiding this comment.
You could opt to deploy a file with extensions defined in it similar to https://github.com/theforeman/foreman-installer/blob/develop/spec/fixtures/katello-certs-check/extensions.txt
And then point at the extensions when running this command similar to https://github.com/theforeman/foreman-installer/blob/develop/spec/fixtures/katello-certs-check/create_cert.sh#L36
There was a problem hiding this comment.
I considered that, but how long do we plan on supporting EL7? It is mostly needed in the pulp-cli work from #252 but IMHO there's it's sufficient to only check stderr on EL8.
There was a problem hiding this comment.
#252 passes with this change picked on EL8, so I'm happy enough.
(On the other hand, we could consider limiting the number of ways we generate certs in our CI…)
Modern tooling prefers the subjectAltName extension and the CN on a certificate is considered deprecated. Some tools even complain about this. However, the -addext command is unavailable on EL7 because openssl is too old.