Truncate TLS common name to 64 characters (#318)

Fixes uncaught exception caused by changes in #317 https://warthogs.atlassian.net/browse/DPE-5411
canonical · Sep 9, 2024 · bd2f317 · bd2f317
1 parent f4cbbef
commit bd2f317
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 12 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/src/relations/tls.py b/src/relations/tls.py
@@ -116,9 +116,12 @@ def _generate_csr(self, key: bytes) -> bytes:
         extra_hosts, extra_ips = self._charm.get_all_k8s_node_hostnames_and_ips()
         return tls_certificates.generate_csr(
             private_key=key,
-            subject=socket.getfqdn(),
+            # X.509 CommonName has a limit of 64 characters
+            # (https://github.com/pyca/cryptography/issues/10553)
+            subject=socket.getfqdn()[:64],
             organization=self._charm.app.name,
             sans_dns=[
+                socket.getfqdn(),
                 unit_name,
                 f"{unit_name}.{self._charm.app.name}-endpoints",
                 f"{unit_name}.{self._charm.app.name}-endpoints.{self._charm.model_service_domain}",