The attached patch fixes https://fedorahosted.org/freeipa/ticket/4970.
Note that the problem is addressed by adding the appropriate request extension to the CSR; the fix does not involve changing the default profile behaviour, which is complicated (see ticket for details). Thanks, Fraser
From e984b2cbfd419a2a71aa40ba4b42dd29857a66d9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 7 Dec 2015 16:14:28 +1100 Subject: [PATCH] Create server certs with DNS altname Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install or replica prepare, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger already adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 --- ipaserver/install/certs.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index c918791f0be7a17e20123fe6f94c4ac0bbf09d7b..bd1792d32246bc3034c5403f1d868e0966ec0014 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -335,7 +335,7 @@ class CertDB(object): cdb = self if subject is None: subject=DN(('CN', hostname), self.subject_base) - self.request_cert(subject) + self.request_cert(subject, san_dnsnames=[hostname]) cdb.issue_server_cert(self.certreq_fname, self.certder_fname) self.import_cert(self.certder_fname, nickname) fd = open(self.certder_fname, "r") @@ -359,7 +359,9 @@ class CertDB(object): os.unlink(self.certreq_fname) os.unlink(self.certder_fname) - def request_cert(self, subject, certtype="rsa", keysize="2048"): + def request_cert( + self, subject, certtype="rsa", keysize="2048", + san_dnsnames=None): assert isinstance(subject, DN) self.create_noise_file() self.setup_cert_request() @@ -370,6 +372,8 @@ class CertDB(object): "-z", self.noise_fname, "-f", self.passwd_fname, "-a"] + if san_dnsnames is not None and len(san_dnsnames) > 0: + args += ['-8', ','.join(san_dnsnames)] (stdout, stderr, returncode) = self.run_certutil(args) os.remove(self.noise_fname) return (stdout, stderr) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code