Modified hub package install scriptlet to use hostname -s and fail if…

… that is longer than 64 characters We create a self-signed certificate and the CN must be 64 characters or less so use hostname -s instead of hostname -f and fail if even the short name is longer than 64 characters. This check is added to the preinstall scriptlet so that the package will not even be unpacked if hostname -s is longer than 64 characters long. This check is only activated if there is no current cert present such as during an upgrade. Ticket: CFE-4469 Changelog: title libre
cfengine · Dec 11, 2024 · decaa42 · decaa42
1 parent d5e2e38
commit decaa42
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh
@@ -315,6 +315,11 @@ mkdir -p $CFENGINE_MP_DEFAULT_KEY_LOCATION
 mkdir -p $CFENGINE_MP_DEFAULT_CSR_LOCATION
 mkdir -p $CFENGINE_MP_DEFAULT_CERT_LINK_LOCATION
 mkdir -p $CFENGINE_MP_DEFAULT_SSLCONF_LOCATION
+CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]')
+if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then
+  cf_console echo "Short hostname, $CFENGINE_SHORTNAME, is longer than 64 bytes so cannot be used for a self-signed cert CN."
+  exit 1
+fi
 CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]')
 CFENGINE_SSL_KEY_SIZE="4096"
 CFENGINE_SSL_DAYS_VALID="3650"
@@ -334,7 +339,7 @@ if [ ! -f $CFENGINE_MP_CERT ]; then
   ${CFENGINE_OPENSSL} rsa -passin pass:x -in ${CFENGINE_MP_PASS_KEY} -out ${CFENGINE_MP_KEY}
 
   # Generate a CSR in ${CFENGINE_MP_CSR} with key ${CFENGINE_MP_KEY}
-  ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_LOCALHOST" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF}
+  ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_SHORTNAME" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF}
 
   # Build configuration with reasonable default subjectAltName entries
   rm -f "$CFENGINE_MP_SSLCONF"

diff --git a/packaging/common/cfengine-hub/preinstall.sh b/packaging/common/cfengine-hub/preinstall.sh
@@ -105,9 +105,10 @@ if [ "`package_type`" = "rpm" ]; then
 fi
 
 #
+# If an existing cert is not in place then:
 # Before starting the installation process we need to check that
-# hostname -f returns a valid name. If that is not the case then
-# we just abort the installation.
+# hostname -f returns a valid name and hostname -s is shorter
+# than 64 characters. If not we abort the installation.
 #
 NAME=$(hostname -f) || true
 if [ -z "$NAME" ];
@@ -119,6 +120,18 @@ then
   exit 1
 fi
 
+CFENGINE_MP_DEFAULT_CERT_LOCATION="$PREFIX/httpd/ssl/certs"
+CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]')
+CFENGINE_MP_CERT=$CFENGINE_MP_DEFAULT_CERT_LOCATION/$CFENGINE_LOCALHOST.cert
+if [ ! -f "$CFENGINE_MP_CERT" ]; then
+  CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]')
+  if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then
+    cf_console echo "hostname -s returned '$CFENGINE_SHORTNAME' which is longer than 64 characters and cannot be used to generate a self-signed cert common name (CN)."
+    cf_console echo "Please make sure that hostname -s returns a name less than 64 characters long."
+    exit 1
+  fi
+fi
+
 #stop the remaining services on upgrade
 if is_upgrade; then
   cf_console platform_service cfengine3 stop