On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote: > Fraser Tweedale wrote: > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > >>> The attached patch fixes > >>> https://fedorahosted.org/freeipa/ticket/4970. > >>> > >>> Note that the problem is addressed by adding the appropriate request > >>> extension to the CSR; the fix does not involve changing the default > >>> profile behaviour, which is complicated (see ticket for details). > >> > >> Thanks for the patch! This is something we should really fix, I already get > >> warnings in my Python scripts when I hit sites protected by such HTTPS > >> cert: > >> > >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264: > >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has > >> no > >> `subjectAltName`, falling back to check for a `commonName` for now. This > >> feature is being removed by major browsers and deprecated by RFC 2818. (See > >> https://github.com/shazow/urllib3/issues/497 for details.) > >> > >> Should we split ticket 4970, for the FreeIPA server part and then for cert > >> profile part? As it looks like the FreeIPA server will be fixed even in > >> FreeIPA > >> 4.3.x and the other part later. > >> > >> How difficult do you see the general FreeIPA Certificate Profile part of > >> this > >> request? Is it a too big task to handle in 4.4 time frame? > >> > > I will split the ticket and would suggest 4.4 Backlog - it might be > > doable but is a lower priority than e.g. Sub-CAs. > > If you are going to defer the profile part then you should probably > update the client to also include a SAN if --request-cert is provided. > > rob > Yes, good idea. Updated patch attached.
Cheers, Fraser
From 72e24bb90fbb331644f0509371872a17f86007cb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 7 Dec 2015 16:14:28 +1100 Subject: [PATCH] Create server and host certs with DNS altname Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 --- ipa-client/ipa-install/ipa-client-install | 2 +- ipapython/certmonger.py | 9 ++++++++- ipaserver/install/certs.py | 8 ++++++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 974dd1da8bf3f5836170ca67d2f4c298e7ec6844..fd273597944b8d07a2c9bdb96f6a32566085747f 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, try: certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, nickname='Local IPA host', - subject=subject, + subject=subject, dns=[hostname], principal=principal, passwd_fname=passwd_fname) except Exception: diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 2a4e43d3c5d5746134fc5b11a2d01d05f67a2e26..8901d3bb068cc1e0c94ea6c5a093d054ce0557e6 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -299,9 +299,14 @@ def add_subject(request_id, subject): add_request_value(request_id, 'template-subject', subject) -def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): +def request_cert( + nssdb, nickname, subject, principal, passwd_fname=None, + dns=None): """ Execute certmonger to request a server certificate. + + ``dns`` + A sequence of DNS names to appear in SAN request extension. """ cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname('IPA') @@ -312,6 +317,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, SUBJECT=subject, PRINCIPAL=[principal], CA=ca_path) + if dns is not None and len(dns) > 0: + request_parameters['DNS'] = dns if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index c918791f0be7a17e20123fe6f94c4ac0bbf09d7b..bd1792d32246bc3034c5403f1d868e0966ec0014 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -335,7 +335,7 @@ class CertDB(object): cdb = self if subject is None: subject=DN(('CN', hostname), self.subject_base) - self.request_cert(subject) + self.request_cert(subject, san_dnsnames=[hostname]) cdb.issue_server_cert(self.certreq_fname, self.certder_fname) self.import_cert(self.certder_fname, nickname) fd = open(self.certder_fname, "r") @@ -359,7 +359,9 @@ class CertDB(object): os.unlink(self.certreq_fname) os.unlink(self.certder_fname) - def request_cert(self, subject, certtype="rsa", keysize="2048"): + def request_cert( + self, subject, certtype="rsa", keysize="2048", + san_dnsnames=None): assert isinstance(subject, DN) self.create_noise_file() self.setup_cert_request() @@ -370,6 +372,8 @@ class CertDB(object): "-z", self.noise_fname, "-f", self.passwd_fname, "-a"] + if san_dnsnames is not None and len(san_dnsnames) > 0: + args += ['-8', ','.join(san_dnsnames)] (stdout, stderr, returncode) = self.run_certutil(args) os.remove(self.noise_fname) return (stdout, stderr) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code