From decaa42e22d325de244480028889aef2804a5c36 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 9 Dec 2024 15:45:49 -0600 Subject: [PATCH] Modified hub package install scriptlet to use hostname -s and fail if that is longer than 64 characters We create a self-signed certificate and the CN must be 64 characters or less so use hostname -s instead of hostname -f and fail if even the short name is longer than 64 characters. This check is added to the preinstall scriptlet so that the package will not even be unpacked if hostname -s is longer than 64 characters long. This check is only activated if there is no current cert present such as during an upgrade. Ticket: CFE-4469 Changelog: title libre --- packaging/common/cfengine-hub/postinstall.sh | 7 ++++++- packaging/common/cfengine-hub/preinstall.sh | 17 +++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh index 58b2aeb56..d0b11e19b 100644 --- a/packaging/common/cfengine-hub/postinstall.sh +++ b/packaging/common/cfengine-hub/postinstall.sh @@ -315,6 +315,11 @@ mkdir -p $CFENGINE_MP_DEFAULT_KEY_LOCATION mkdir -p $CFENGINE_MP_DEFAULT_CSR_LOCATION mkdir -p $CFENGINE_MP_DEFAULT_CERT_LINK_LOCATION mkdir -p $CFENGINE_MP_DEFAULT_SSLCONF_LOCATION +CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]') +if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then + cf_console echo "Short hostname, $CFENGINE_SHORTNAME, is longer than 64 bytes so cannot be used for a self-signed cert CN." + exit 1 +fi CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]') CFENGINE_SSL_KEY_SIZE="4096" CFENGINE_SSL_DAYS_VALID="3650" @@ -334,7 +339,7 @@ if [ ! -f $CFENGINE_MP_CERT ]; then ${CFENGINE_OPENSSL} rsa -passin pass:x -in ${CFENGINE_MP_PASS_KEY} -out ${CFENGINE_MP_KEY} # Generate a CSR in ${CFENGINE_MP_CSR} with key ${CFENGINE_MP_KEY} - ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_LOCALHOST" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF} + ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_SHORTNAME" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF} # Build configuration with reasonable default subjectAltName entries rm -f "$CFENGINE_MP_SSLCONF" diff --git a/packaging/common/cfengine-hub/preinstall.sh b/packaging/common/cfengine-hub/preinstall.sh index 208954a7b..b4b1ff771 100644 --- a/packaging/common/cfengine-hub/preinstall.sh +++ b/packaging/common/cfengine-hub/preinstall.sh @@ -105,9 +105,10 @@ if [ "`package_type`" = "rpm" ]; then fi # +# If an existing cert is not in place then: # Before starting the installation process we need to check that -# hostname -f returns a valid name. If that is not the case then -# we just abort the installation. +# hostname -f returns a valid name and hostname -s is shorter +# than 64 characters. If not we abort the installation. # NAME=$(hostname -f) || true if [ -z "$NAME" ]; @@ -119,6 +120,18 @@ then exit 1 fi +CFENGINE_MP_DEFAULT_CERT_LOCATION="$PREFIX/httpd/ssl/certs" +CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]') +CFENGINE_MP_CERT=$CFENGINE_MP_DEFAULT_CERT_LOCATION/$CFENGINE_LOCALHOST.cert +if [ ! -f "$CFENGINE_MP_CERT" ]; then + CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]') + if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then + cf_console echo "hostname -s returned '$CFENGINE_SHORTNAME' which is longer than 64 characters and cannot be used to generate a self-signed cert common name (CN)." + cf_console echo "Please make sure that hostname -s returns a name less than 64 characters long." + exit 1 + fi +fi + #stop the remaining services on upgrade if is_upgrade; then cf_console platform_service cfengine3 stop