Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

Tue, 19 Jul 2016 05:22:12 -0700 


On 01.07.2016 13:26, Petr Spacek wrote:

On 20.1.2016 05:04, Fraser Tweedale wrote:

On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:

On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:

Fraser Tweedale wrote:

On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:

On 12/07/2015 06:26 AM, Fraser Tweedale wrote:

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/4970.

Note that the problem is addressed by adding the appropriate request
extension to the CSR; the fix does not involve changing the default
profile behaviour, which is complicated (see ticket for details).

Thanks for the patch! This is something we should really fix, I already get
warnings in my Python scripts when I hit sites protected by such HTTPS cert:

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
`subjectAltName`, falling back to check for a `commonName` for now. This
feature is being removed by major browsers and deprecated by RFC 2818. (See
https://github.com/shazow/urllib3/issues/497 for details.)

Should we split ticket 4970, for the FreeIPA server part and then for cert
profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
4.3.x and the other part later.

How difficult do you see the general FreeIPA Certificate Profile part of this
request? Is it a too big task to handle in 4.4 time frame?


I will split the ticket and would suggest 4.4 Backlog - it might be
doable but is a lower priority than e.g. Sub-CAs.

If you are going to defer the profile part then you should probably
update the client to also include a SAN if --request-cert is provided.

rob


Yes, good idea.  Updated patch attached.

Cheers,
Fraser

Bump, with rebased patch.

Hi,

this seems to work for Apache on IPA server & client cert. ACK.

Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3



Interestingly enough I found out that Dogtag cert used on port 8443 does not
have any SAN.

Is it in scope of this ticket?

I will leave the ticket open until this is answered.

Martin^2




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to