Merge pull request #1557 from craigcomstock/CFE-4469/3.21

Modified hub package install scriptlet to use hostname -s and fail if that is longer than 64 characters (3.21)
cfengine · Dec 12, 2024 · e4cca3d · e4cca3d
2 parents e06d2e1 + 714cb5c
commit e4cca3d
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 7 deletions.
diff --git a/.github/workflows/build-using-buildscripts.yml b/.github/workflows/build-using-buildscripts.yml
@@ -128,7 +128,7 @@ jobs:
 
       - name: Save artifacts
         if: success() || failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: artifacts
           path: |

diff --git a/.github/workflows/deployment-tests.yml b/.github/workflows/deployment-tests.yml
@@ -134,9 +134,8 @@ jobs:
 
       - name: Save artifacts
         if: success() || failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: artifacts
+          name: deployment-test-artifacts
           path: |
             artifacts
-            packages
diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh
@@ -308,6 +308,11 @@ mkdir -p $CFENGINE_MP_DEFAULT_KEY_LOCATION
 mkdir -p $CFENGINE_MP_DEFAULT_CSR_LOCATION
 mkdir -p $CFENGINE_MP_DEFAULT_CERT_LINK_LOCATION
 mkdir -p $CFENGINE_MP_DEFAULT_SSLCONF_LOCATION
+CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]')
+if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then
+  cf_console echo "Short hostname, $CFENGINE_SHORTNAME, is longer than 64 bytes so cannot be used for a self-signed cert CN."
+  exit 1
+fi
 CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]')
 CFENGINE_SSL_KEY_SIZE="4096"
 CFENGINE_SSL_DAYS_VALID="3650"
@@ -327,7 +332,7 @@ if [ ! -f $CFENGINE_MP_CERT ]; then
   ${CFENGINE_OPENSSL} rsa -passin pass:x -in ${CFENGINE_MP_PASS_KEY} -out ${CFENGINE_MP_KEY}
 
   # Generate a CSR in ${CFENGINE_MP_CSR} with key ${CFENGINE_MP_KEY}
-  ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_LOCALHOST" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF}
+  ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_SHORTNAME" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF}
 
   # Build configuration with reasonable default subjectAltName entries
   rm -f "$CFENGINE_MP_SSLCONF"

diff --git a/packaging/common/cfengine-hub/preinstall.sh b/packaging/common/cfengine-hub/preinstall.sh
@@ -105,9 +105,10 @@ if [ "`package_type`" = "rpm" ]; then
 fi
 
 #
+# If an existing cert is not in place then:
 # Before starting the installation process we need to check that
-# hostname -f returns a valid name. If that is not the case then
-# we just abort the installation.
+# hostname -f returns a valid name and hostname -s is shorter
+# than 64 characters. If not we abort the installation.
 #
 NAME=$(hostname -f) || true
 if [ -z "$NAME" ];
@@ -119,6 +120,18 @@ then
   exit 1
 fi
 
+CFENGINE_MP_DEFAULT_CERT_LOCATION="$PREFIX/httpd/ssl/certs"
+CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]')
+CFENGINE_MP_CERT=$CFENGINE_MP_DEFAULT_CERT_LOCATION/$CFENGINE_LOCALHOST.cert
+if [ ! -f "$CFENGINE_MP_CERT" ]; then
+  CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]')
+  if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then
+    cf_console echo "hostname -s returned '$CFENGINE_SHORTNAME' which is longer than 64 characters and cannot be used to generate a self-signed cert common name (CN)."
+    cf_console echo "Please make sure that hostname -s returns a name less than 64 characters long."
+    exit 1
+  fi
+fi
+
 #stop the remaining services on upgrade
 if is_upgrade; then
   cf_console platform_service cfengine3 stop