(#10739) Provide default subjectAltNames while bootstrapping master
Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set,
puppet would add default subjectAltNames to any non-CA cert it signed,
including agent certs. The subjectAltNames were of the form:
DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain>
The fix for #2848, prevented subjectAltNames from ever being
implicitly added at signing time. But during this change, the default
subjectAltNames behavior was accidentally removed.
This commit restores the 'defaulting' behavior that existed
previously, but only when bootstrapping the initial master.
Additionally, default subjectAltNames are only ever added when
generating the master's certificate signing request, not at signing
time. This is important, because it ensures all subjectAltNames
originate from the CSR and are subject to our internal signing policy.
The code now requires that all of the following be true in order to
add default subjectAltNames to the CSR:
- We are a CA and master
- We're signing the master's cert, not self-signing the CA
- The CSR is for the current host
- No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names]
- The master can resolve its fqdn
These should only ever be true when bootstrapping the initial
master. In particular, it should never be true for the CA's
self-signed cert, for remote agents, or for servers that are either
masters or CAs, but not both.
The fqdn requirement existed previously, and so the same behavior has
been restored.
Note if Puppet[:dns_alt_names] are specified when bootstrapping the
master, then we do not merge the default options -- it's either one of
the other, but not both.