Skip to content

Add cname support #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ehelms wants to merge 1 commit into
base: master
Choose a base branch
from
+23 −11
Open

Add cname support #304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions docs/certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,19 @@ After deployment, certificates are available at:
- Server Certificate: `/root/ssl-build/<hostname>/<hostname>-apache.crt`
- Client Certificate: `/root/ssl-build/<hostname>/<hostname>-foreman-client.crt`

### Current Limitations
### CNAME Support

- Only supports single hostname (no multiple DNS names)
- Cannot provide custom certificate files during deployment
- Fixed 20-year certificate validity period
- Limited certificate customization options
foremanctl supports Subject Alternative Names (SANs) for multi-domain certificates:

---
```bash
# Generate certificates with multiple DNS names
foremanctl deploy \
--certificate-cname api.example.com \
--certificate-cname foreman.example.com \
--certificate-cname satellite.example.com
```

When CNAMEs are specified, certificates will include all names in the Subject Alternative Name field, allowing the same certificate to be valid for multiple hostnames.

## Internal Design

Expand Down Expand Up @@ -89,7 +94,8 @@ src/roles/certificates/

2. **Host Certificate Issuance** (for each hostname in `certificates_hostnames`):
- Generate 4096-bit RSA private key
- Create certificate signing request (CSR)
- Create certificate signing request (CSR) with Subject Alternative Names
- Include primary hostname and any additional CNAMEs from `certificate_cname`
- Sign certificate with CA (includes serverAuth/clientAuth extensions)
- Generate both server and client certificates per hostname

Expand Down Expand Up @@ -146,5 +152,6 @@ The `certificate_checks` role uses `foreman-certificate-check` binary to validat

**OpenSSL Configuration:**
- Custom configuration template supports SAN extensions
- Single DNS entry per certificate: `subjectAltName = DNS:{{ certificates_hostname }}`
- Uses OpenSSL's `req` and `ca` commands for generation and signing
- Multiple DNS entries supported: `subjectAltName = DNS:{{ certificates_hostname }}{% for cname in certificate_cname %},DNS:{{ cname }}{% endfor %}`
- Uses OpenSSL's `req` and `ca` commands for generation and signing
- CNAMEs configured via `certificate_cname` variable (list of additional DNS names)
2 changes: 1 addition & 1 deletion docs/parameters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ There are multiple use cases from the users perspective that dictate what parame

| Parameter | Description | foreman-installer Parameter |
| ----------| ----------- | --------------------------- |
| `--certificate-cname` | Allows defining CNAME for default certificates | --certs-cname |

##### Unmapped

Expand All @@ -76,7 +77,6 @@ There are multiple use cases from the users perspective that dictate what parame
| `--foreman-plugin-tasks-cron-line` | | foreman::plugin::tasks | cron_line |
| `--foreman-plugin-tasks-automatic-cleanup` | | foreman::plugin::tasks | automatic_cleanup |
| `--tuning` | Sets the tuning profile | foreman-installer | |
| `--certs-cname` | | certs | cname |
| `--certs-tar` | | certs | tar |
| `--certs-tar-file` | | certs | tar |
| `--certs-server-cert` | | certs | server_cert |
Expand Down
4 changes: 4 additions & 0 deletions src/playbooks/deploy/metadata.obsah.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ variables:
help: Number of workers for Puma.
pulp_worker_count:
help: Number of Pulp workers. Defaults to 8 or the number of CPU cores, whichever is smaller.
certificates_cnames:
help: Additional DNS name to include in Subject Alternative Names for certificates. Can be specified multiple times.
action: append
parameter: --certificate-cname

include:
- _certificate_source
Expand Down
1 change: 1 addition & 0 deletions src/roles/certificates/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ certificates_ca_directory: /root/certificates # Change this to /var/lib?
certificates_ca_directory_keys: "{{ certificates_ca_directory }}/private"
certificates_ca_directory_certs: "{{ certificates_ca_directory }}/certs"
certificates_ca_directory_requests: "{{ certificates_ca_directory }}/requests"
certificates_cnames: []
2 changes: 1 addition & 1 deletion src/roles/certificates/tasks/issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
-config "{{ certificates_ca_directory }}/openssl.cnf"
-key "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
-subj "/CN={{ certificates_hostname }}"
-addext "subjectAltName = DNS:{{ certificates_hostname }}"
-addext "subjectAltName = DNS:{{ certificates_hostname }}{% for cname in certificates_cnames %},DNS:{{ cname }}{% endfor %}"
-out "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
args:
creates: "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
Expand Down
Loading