fix: do not use cert '-subj' with hostname to generate cert, use subjectAltName

[richm]

Cause: The code was using openssl -subj /CN=$(hostname) to generate the
cert used for the server. The argument to '-subj' has a maximum length
of 64 characters, but the hostname is longer than that.

Consequence: The role would issue an error attempting to generate the
certificate if the hostname was too long.

Fix: Do not use '-subj' with the hostname. Certificate verification uses subjectAltName
and the role was already using this in the generated cert. However, we have
to have something in -subj otherwise openssl will prompt for input, so we
just use /O=Red Hat as is used with the token signer.

Result: The role can generate certificates which are secure without an
error when the hostnames are too long for -subj.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by CodeRabbit

• Chores
  • Updated SSL certificate configuration for the server component to standardize subject information and improve consistency in certificate generation.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request modifies the KBS server certificate generation in the Ansible task file, removing the hostname-derived common name from the certificate subject while preserving the organization value. The OpenSSL subject now contains only O=Red Hat instead of both CN=$(hostname -f) and O=Red Hat.

Changes

KBS Certificate Subject Configuration

Layer / File(s)	Summary
KBS server certificate subject parameter update tasks/trustee_quadlet.yml	The OpenSSL -subj argument for generating KBS server.crt removes the CN=$(hostname -f) component, leaving only O=Red Hat as the certificate subject.

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description Format	⚠️ Warning	PR description doesn't follow template structure; missing required "Enhancement:" or "Feature:" header at start and "Reason:" section label explicitly required by .github/pull_request_template.md.	Reformat PR description to match template: start with "Enhancement:" or "Feature:", add "Reason:" section label, keep "Result:" section, add "Issue Tracker Tickets" if applicable.
Description check	❓ Inconclusive	The PR description provides detailed context about the problem, solution, and result, but does not follow the repository's required template structure with 'Enhancement', 'Reason', 'Result', and 'Issue Tracker Tickets' sections.	Reformat the description to match the template: add 'Enhancement:' section, reorganize 'Reason:' and 'Result:' sections as per template, and include 'Issue Tracker Tickets:' section if applicable.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows Conventional Commits format with type 'fix' and a clear description of the change, directly addressing the main modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[richm]

[citest]

[richm]

[citest]