Skip to content

fix: do not use cert '-subj' with hostname to generate cert, use subjectAltName#24

Merged
richm merged 1 commit into
linux-system-roles:mainfrom
richm:fix-do-not-use-cert-subj
Jun 10, 2026
Merged

fix: do not use cert '-subj' with hostname to generate cert, use subjectAltName#24
richm merged 1 commit into
linux-system-roles:mainfrom
richm:fix-do-not-use-cert-subj

Conversation

@richm

@richm richm commented Jun 10, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Cause: The code was using openssl -subj /CN=$(hostname) to generate the
cert used for the server. The argument to '-subj' has a maximum length
of 64 characters, but the hostname is longer than that.

Consequence: The role would issue an error attempting to generate the
certificate if the hostname was too long.

Fix: Do not use '-subj' with the hostname. Certificate verification uses subjectAltName
and the role was already using this in the generated cert. However, we have
to have something in -subj otherwise openssl will prompt for input, so we
just use /O=Red Hat as is used with the token signer.

Result: The role can generate certificates which are secure without an
error when the hostnames are too long for -subj.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by CodeRabbit

  • Chores
    • Updated SSL certificate configuration for the server component to standardize subject information and improve consistency in certificate generation.

@richm richm requested a review from spetrosi as a code owner June 10, 2026 15:17
@coderabbitai

coderabbitai Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The pull request modifies the KBS server certificate generation in the Ansible task file, removing the hostname-derived common name from the certificate subject while preserving the organization value. The OpenSSL subject now contains only O=Red Hat instead of both CN=$(hostname -f) and O=Red Hat.

Changes

KBS Certificate Subject Configuration

Layer / File(s) Summary
KBS server certificate subject parameter update
tasks/trustee_quadlet.yml		 The OpenSSL -subj argument for generating KBS server.crt removes the CN=$(hostname -f) component, leaving only O=Red Hat as the certificate subject.
🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Description Format ⚠️ Warning PR description doesn't follow template structure; missing required "Enhancement:" or "Feature:" header at start and "Reason:" section label explicitly required by .github/pull_request_template.md. Reformat PR description to match template: start with "Enhancement:" or "Feature:", add "Reason:" section label, keep "Result:" section, add "Issue Tracker Tickets" if applicable.
Description check ❓ Inconclusive The PR description provides detailed context about the problem, solution, and result, but does not follow the repository's required template structure with 'Enhancement', 'Reason', 'Result', and 'Issue Tracker Tickets' sections. Reformat the description to match the template: add 'Enhancement:' section, reorganize 'Reason:' and 'Result:' sections as per template, and include 'Issue Tracker Tickets:' section if applicable.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The PR title follows Conventional Commits format with type 'fix' and a clear description of the change, directly addressing the main modification in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@richm

richm commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

[citest]

@richm
fix: do not use cert '-subj' with hostname to generate cert, use subj…
2ca9051 
…ectAltName

Cause: The code was using openssl -subj /CN=$(hostname) to generate the
cert used for the server.  The argument to '-subj' has a maximum length
of 64 characters, but the hostname is longer than that.

Consequence: The role would issue an error attempting to generate the
certificate if the hostname was too long.

Fix: Do not use '-subj' with the hostname.  Certificate verification uses subjectAltName
and the role was already using this in the generated cert.  However, we have
to have something in `-subj` otherwise openssl will prompt for input, so we
just use `/O=Red Hat` as is used with the token signer.

Result: The role can generate certificates which are secure without an
error when the hostnames are too long for `-subj`.

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
@richm richm force-pushed the fix-do-not-use-cert-subj branch from 0b68005 to 2ca9051 Compare June 10, 2026 19:14
@richm richm changed the title fix: do not use cert '-subj' to generate cert, use subjectAltName fix: do not use cert '-subj' with hostname to generate cert, use subjectAltName Jun 10, 2026
@richm

richm commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

[citest]

@richm richm merged commit dd85958 into linux-system-roles:main Jun 10, 2026
39 checks passed
@richm richm deleted the fix-do-not-use-cert-subj branch June 10, 2026 19:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spetrosi spetrosi spetrosi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richm @spetrosi