On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> > Fraser Tweedale wrote:
> > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > >>> The attached patch fixes
> > >>> https://fedorahosted.org/freeipa/ticket/4970.
> > >>>
> > >>> Note that the problem is addressed by adding the appropriate request
> > >>> extension to the CSR; the fix does not involve changing the default
> > >>> profile behaviour, which is complicated (see ticket for details).
> > >>
> > >> Thanks for the patch! This is something we should really fix, I already
> > >> get
> > >> warnings in my Python scripts when I hit sites protected by such HTTPS
> > >> cert:
> > >>
> > >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com
> > >> has no
> > >> `subjectAltName`, falling back to check for a `commonName` for now. This
> > >> feature is being removed by major browsers and deprecated by RFC 2818.
> > >> (See
> > >> https://github.com/shazow/urllib3/issues/497 for details.)
> > >>
> > >> Should we split ticket 4970, for the FreeIPA server part and then for
> > >> cert
> > >> profile part? As it looks like the FreeIPA server will be fixed even in
> > >> FreeIPA
> > >> 4.3.x and the other part later.
> > >>
> > >> How difficult do you see the general FreeIPA Certificate Profile part of
> > >> this
> > >> request? Is it a too big task to handle in 4.4 time frame?
> > >>
> > > I will split the ticket and would suggest 4.4 Backlog - it might be
> > > doable but is a lower priority than e.g. Sub-CAs.
> > If you are going to defer the profile part then you should probably
> > update the client to also include a SAN if --request-cert is provided.
> > rob
> Yes, good idea. Updated patch attached.
Bump, with rebased patch.
From 51c59430905862ec586661f168ed2a36491d41d4 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
ipa-client/ipa-install/ipa-client-install | 2 +-
ipapython/certmonger.py | 9 ++++++++-
ipaserver/install/certs.py | 8 ++++++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
@@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm,
nickname='Local IPA host',
+ subject=subject, dns=[hostname],
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
@@ -298,9 +298,14 @@ def add_subject(request_id, subject):
add_request_value(request_id, 'template-subject', subject)
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+ nssdb, nickname, subject, principal, passwd_fname=None,
Execute certmonger to request a server certificate.
+ A sequence of DNS names to appear in SAN request extension.
cm = _certmonger()
ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -311,6 +316,8 @@ def request_cert(nssdb, nickname, subject, principal,
+ if dns is not None and len(dns) > 0:
+ request_parameters['DNS'] = dns
request_parameters['KEY_PIN_FILE'] = passwd_fname
result = cm.obj_if.add_request(request_parameters)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
@@ -336,7 +336,7 @@ class CertDB(object):
cdb = self
if subject is None:
subject=DN(('CN', hostname), self.subject_base)
+ self.request_cert(subject, san_dnsnames=[hostname])
fd = open(self.certder_fname, "r")
@@ -360,7 +360,9 @@ class CertDB(object):
- def request_cert(self, subject, certtype="rsa", keysize="2048"):
+ def request_cert(
+ self, subject, certtype="rsa", keysize="2048",
assert isinstance(subject, DN)
@@ -371,6 +373,8 @@ class CertDB(object):
+ if san_dnsnames is not None and len(san_dnsnames) > 0:
+ args += ['-8', ','.join(san_dnsnames)]
result = self.run_certutil(args,
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code