stable

Clone or download

Read-only

fix: Do not set the CN in the self-signed certificate generated during the installation phase

Tulepa generates a self signed certificate during the installation phase in order to prepare nginx configuration (for production deployment it is expected to be replaced with a certificate properly managed in your deployment context). The certificate is currently generated with a subject containing the CN. This is problematic when a long domain name is used as the CN field is limited to 64 characters. In order to resolve that we do not set the CN anymore, browsers (and most modern tooling) will look at the Subject Alternative Name extension anyway (for reference major providers like Let's Encrypt allows this sort of certificate since last year [0]). Also took the opportunity to switch to ECDSA instead of RSA, it is faster to generate. To test the generation you can drop your existing config and certificates and re-generate them with something like: ``` rm -f /etc/pki/tls/private/localhost.key.pem /etc/pki/tls/certs/localhost.cert.pem /etc/nginx/conf.d/tuleap.conf && tuleap-cfg site-deploy:nginx && systemctl restart nginx ``` Part of request #39012 Installation might not succeed when a long domain name is used [0] https://community.letsencrypt.org/t/simplifying-issuance-for-very-long-domain-names/207924 Change-Id: Idee75d68eb5044a368da690c73a5f5d0d4610ae6

Modified Files

Name
M src/tuleap-cfg/Command/SiteDeploy/Nginx/NginxCommon.php +1 −1 Go to diff View file