Harry G Coin via FreeIPA-users wrote: > Found a discussion of this here: > https://frasertweedale.github.io/blog-redhat/posts/2019-02-18-freeipa-san-ip.html > > > Summary: Unless freeipa's DNS is in use, even if the sysadmins know the > IPS to be correct owing to dnssec supported resolvers, freeipa can't > issue certificates with IP's in the SAN. There exists no --force > option for instances where the sysadmins do know the off-host resolvers > are complete and correct. It also appears freeipa won't even allow > freeipa dns to be installed but to use forwarders in this case. > According to the 2019 blog entry, there MUST be dns records in the LDAP > or freeipa can't issue certs with IP's in the SAN. > > I think either a --permit-offhost-resolver or --skip-san-ip-check flag > for ipa-cert-request would put appropriate control in the local > sysadmin's hands. > > The alternative is either to migrate away from freeipa for certificates, > leaving it only a kerberos/ldap Idm provider, or to create some cron job > that populates freeipa's dns from the authoritative offhost source (a > reverse-double-bind-dyn-ldap??)?? Or hack a custom > ipaserver/plugins/cert.py > > If we knew a flag in ipa-cert-request to allow local judgement to > control this situation was in the works, the temporary hack to > ipaserver/plugins/cert.py would be the best approach. The alternatives > are not very attractive. > > Has all this been fixed in some newer version? Hopefully? > > Thanks > > Harry > > --- > > Hi Freeipa Team > > > Am I correct that only if freeipa's internal DNS is active and current > that freeipa can issue certificates if IP addresses are in the SAN part > of the cert? Even if DNSSec supported resolvers with accurate info are > on the same RFC1918 subnet as freeipa and nslookup / dig report proper > answers? > > I hit a wall trying to re-issue a certificate. We had freeipa's DNS > running a few years ago, when the certs were first issued. then migrated > to another resolver with better HA dnssec support. > > Would freeipa be able to issue IPs in certificates if I enabled > freeipa's dns system but pointed it off-host for all resolutions? Or is > it required the DNS records be in local LDAP 'no matter what'. > > Or perhaps a 'force because I actually do know what I'm doing' command > to issue such certificates with IPs in the SAN? > > I feel like I'm missing something obvious here, so please help me out.
A certificate means that IPA (the CA) says that this system is to be trusted. How can IPA make that promise if it doesn't know who owns the IP, or SAN or whatever? Any type of force flag will become muscle memory and never be validated again. Someone will write a blog or post somewhere mentioning --force and search engines will suggest it forever without people understanding what they are forcing, and how bad it could be. That is why IPA is so strict. If you really need this you could disable the check in IPA, but remembering to do so on every server after every update would get tiresome I'd imagine. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
