Description of problem: capsule-certs-generate uses the value for --foreman-proxy-cname to add a DNS record in the SAN field regardless of that setting making sense or not. E.g. DNS:[] and DNS: <= empty string. Version-Release number of selected component (if applicable): This was found on satellite 6.5, but may be true for older versions How reproducible: Always Steps to Reproduce: This is what capsule-certs-generate is generating for qpid-router-server.crt: (used by capsules' qdrouterd on port 5647 to listen to clients' goferds) X509v3 Subject Alternative Name: DNS:mycapsule.example.com, DNS:[] The DNS:[] comes from the default value for --foreman-proxy-cname: ~~~ [root@sat65a ~]# capsule-certs-generate --help (...snip...) = Module foreman_proxy_certs: --certs-tar Path to tar file with certs to generate (current: UNDEF) --foreman-proxy-cname additional names of the foreman proxy (current: ["[]"]) <========= here --foreman-proxy-fqdn FQDN of the foreman proxy (current: "sat65a.usersys.redhat.com") Turns out, if you use `--foreman-proxy-cname ""` with `capsule-certs-generate` it will still generate certs with DNS:<fqdn>, DNS: <==== second DNS entry empty. So this is either a docs bug (and somewhat of a usability bug) because capsule-certs-generate actually ALWAYS needs --foreman-proxy-cname set to whatever crazy value you want, ... OR ...we have a bug where the contents from --foreman-proxy-cname are being added to the cert regardless of it being a valid hostname or not. That is, neither [] nor and empty string should be acceptable contents for SAN records. ## Workaround for this bug always pass `capsule-certs-generate --foreman-proxy-cname <some acceptable name here, e.g. the shortname> ...etc...`.
It looks like it doesn't parse the array and treats it as a string as can be seen by the odd ["[]"] instead of []. That also means that changing the validation from Array[String] to Array[Stdlib::Fqdn] suddenly breaks because [] is an invalid hostname. This appears to be the root cause of the bug. Changing the parser cache value from foreman_proxy_cname: '[]' to foreman_proxy_cname: [] corrects the default: = Module certs: --cname The alternative names of the host the generated certificates should be for (current: []) Either kafo or kafo_parsers has a bug in getting defaults.
A bit more context. kafo_parsers retrieves the defaults using puppet-strings but that reports everything as a string: "defaults": { "parent_fqdn": "$::fqdn", "foreman_proxy_fqdn": "$::fqdn", "foreman_proxy_cname": "[]", "certs_tar": "undef" }, In kafo_parsers there is a sanitize method but it doesn't deal with "arrays" (https://github.com/theforeman/kafo_parsers/blob/d0f72ca2fe650267b1b035fdf1ae0fb59204f5b1/lib/kafo_parsers/puppet_strings_module_parser.rb#L133-L145). The quickest workaround is implementing a certs::foreman_proxy_content::params class and setting the default there. It uses a different mechanism and it can use more complex data types.
Created redmine issue https://projects.theforeman.org/issues/27847 from this bug
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454