Bug #1390
closed
Invalid Certificates need better handling
Description
Some stupid people in my enterprise have got strange ideas on what an FQDN is...
They have managed to create hosts with certificate names like ".stsn.com" and ".ibahn.com" - of course, when Foreman tries to parse that, it gets nil for the hostname. We need to handle that better so that the Certificate Management page doesn't blow up when trying to render it.
Interestingly, if you revoke (but not clean) the offending cert, Foreman displayed the revoked certificate just fine.
Updated by Ohad Levy over 12 years ago
to me it sounds like a problem in the proxy rather in foreman, can you look at the json output the proxy is responding to figure out any possible reasons?
Updated by Ohad Levy over 12 years ago
- Status changed from New to Need more information
- Assignee set to Greg Sutcliffe
Updated by Greg Sutcliffe over 12 years ago
I'm massively out of practice after a month away, clearly. I'll have a poke about in the proxy soon, I hope :)
Updated by Greg Sutcliffe over 12 years ago
Ok, so the proxy output completes without error, and looks sane (well, as sane as possible in these situations). Running:
curl http://localhost:8443/puppet/ca
gets me all the certificates, and I can see this:
".office.etvinteractive.com":{"state":"revoked","serial":282,"not_before":"2011-10-27T10:05:00GMT","not_after":"2016-10-25T10:05:00GMT"}
in the output. The actual error message on the Foreman UI is:
smart_proxy_puppetca_url failed to generate from {:smart_proxy_id=>"1-local", :action=>"update", :controller=>"SmartProxies::Puppetca", :id=>#<SmartProxies::PuppetCA:0xb563b130 @expires_at=nil, @valid_from=nil, @fingerprint="4E:4C:13:3B:D0:69:41:57:54:CE:66:5E:66:E6:58:44", @name=".office.etvinteractive.com", @smart_proxy_id=1, @state="pending">}, expected: {:action=>"update", :controller=>"SmartProxies::Puppetca"}, diff: {:smart_proxy_id=>"1-local", :id=>#<SmartProxies::PuppetCA:0xb563b130 @expires_at=nil, @valid_from=nil, @fingerprint="4E:4C:13:3B:D0:69:41:57:54:CE:66:5E:66:E6:58:44", @name=".office.etvinteractive.com", @smart_proxy_id=1, @state="pending">}
with a trace of:
smart_proxy_puppetca_url failed to generate from {:smart_proxy_id=>"1-local", :action=>"update", :controller=>"SmartProxies::Puppetca", :id=>#}, expected: {:action=>"update", :controller=>"SmartProxies::Puppetca"}, diff: {:smart_proxy_id=>"1-local", :id=>#}
app/helpers/application_helper.rb:105:in `display_link_if_authorized'
app/views/smart_proxies/puppetca/index.html.erb:22
app/views/smart_proxies/puppetca/index.html.erb:14:in `each'
app/views/smart_proxies/puppetca/index.html.erb:14
I'm wondering if this is to do with the space-handling patch we merged in a while back - I can see spaced output coming from the proxy, eg:
"grove.etvinteractive.com ":{"fingerprint":"41:4A:F3:E7:F8:3A:5E:FB:A9:4F:20:93:A3:A3:7B:AD","state":"valid"}
I'm going to see what happens if I move the whitespace handling code to the proxy, so that the duplicate-certname bug can be resolved as well - I suspect these two are related somehow...
Updated by Greg Sutcliffe almost 12 years ago
- Status changed from Need more information to Closed
- % Done changed from 0 to 100
I don't think this applies any more, so I'm closing it. If I see it again, I'll re-open.