On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> > Fraser Tweedale wrote:
> > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > >>> The attached patch fixes
> > >>> https://fedorahosted.org/freeipa/ticket/4970.
> > >>>
> > >>> Note that the problem is addressed by adding the appropriate request
> > >>> extension to the CSR; the fix does not involve changing the default
> > >>> profile behaviour, which is complicated (see ticket for details).
> > >>
> > >> Thanks for the patch! This is something we should really fix, I already 
> > >> get
> > >> warnings in my Python scripts when I hit sites protected by such HTTPS 
> > >> cert:
> > >>
> > >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com 
> > >> has no
> > >> `subjectAltName`, falling back to check for a `commonName` for now. This
> > >> feature is being removed by major browsers and deprecated by RFC 2818. 
> > >> (See
> > >> https://github.com/shazow/urllib3/issues/497 for details.)
> > >>
> > >> Should we split ticket 4970, for the FreeIPA server part and then for 
> > >> cert
> > >> profile part? As it looks like the FreeIPA server will be fixed even in 
> > >> FreeIPA
> > >> 4.3.x and the other part later.
> > >>
> > >> How difficult do you see the general FreeIPA Certificate Profile part of 
> > >> this
> > >> request? Is it a too big task to handle in 4.4 time frame?
> > >>
> > > I will split the ticket and would suggest 4.4 Backlog - it might be
> > > doable but is a lower priority than e.g. Sub-CAs.
> > 
> > If you are going to defer the profile part then you should probably
> > update the client to also include a SAN if --request-cert is provided.
> > 
> > rob
> > 
> Yes, good idea.  Updated patch attached.
> 
> Cheers,
> Fraser

Bump, with rebased patch.
From 51c59430905862ec586661f168ed2a36491d41d4 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server and host certs with DNS altname

Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
 ipa-client/ipa-install/ipa-client-install | 2 +-
 ipapython/certmonger.py                   | 9 ++++++++-
 ipaserver/install/certs.py                | 8 ++++++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..07334df1c00c55629a956af26075871d56a23550
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, 
hostname, options,
     try:
         certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
                                 nickname='Local IPA host',
-                                subject=subject,
+                                subject=subject, dns=[hostname],
                                 principal=principal,
                                 passwd_fname=passwd_fname)
     except Exception:
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 
f89ca0b7a1cbb9d34b0c044e30e213e7aa1c74fd..06d9bcc151afafdb8d301b25a1893a1c7cf9b569
 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -298,9 +298,14 @@ def add_subject(request_id, subject):
     add_request_value(request_id, 'template-subject', subject)
 
 
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+def request_cert(
+        nssdb, nickname, subject, principal, passwd_fname=None,
+        dns=None):
     """
     Execute certmonger to request a server certificate.
+
+    ``dns``
+        A sequence of DNS names to appear in SAN request extension.
     """
     cm = _certmonger()
     ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -311,6 +316,8 @@ def request_cert(nssdb, nickname, subject, principal, 
passwd_fname=None):
                               KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
                               SUBJECT=subject, PRINCIPAL=[principal],
                               CA=ca_path)
+    if dns is not None and len(dns) > 0:
+        request_parameters['DNS'] = dns
     if passwd_fname:
         request_parameters['KEY_PIN_FILE'] = passwd_fname
     result = cm.obj_if.add_request(request_parameters)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 
f74b76090bfe2670a998373e3c7cdc3c5727c465..8a229587bb537fc8912f3a1823c05ab6f962f45a
 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -336,7 +336,7 @@ class CertDB(object):
             cdb = self
         if subject is None:
             subject=DN(('CN', hostname), self.subject_base)
-        self.request_cert(subject)
+        self.request_cert(subject, san_dnsnames=[hostname])
         cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
         self.import_cert(self.certder_fname, nickname)
         fd = open(self.certder_fname, "r")
@@ -360,7 +360,9 @@ class CertDB(object):
         os.unlink(self.certreq_fname)
         os.unlink(self.certder_fname)
 
-    def request_cert(self, subject, certtype="rsa", keysize="2048"):
+    def request_cert(
+            self, subject, certtype="rsa", keysize="2048",
+            san_dnsnames=None):
         assert isinstance(subject, DN)
         self.create_noise_file()
         self.setup_cert_request()
@@ -371,6 +373,8 @@ class CertDB(object):
                 "-z", self.noise_fname,
                 "-f", self.passwd_fname,
                 "-a"]
+        if san_dnsnames is not None and len(san_dnsnames) > 0:
+            args += ['-8', ','.join(san_dnsnames)]
         result = self.run_certutil(args,
                                    capture_output=True, capture_error=True)
         os.remove(self.noise_fname)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to