Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2016-07-19 Thread Fraser Tweedale
On Tue, Jul 19, 2016 at 02:21:05PM +0200, Martin Basti wrote:
> 
> 
> On 01.07.2016 13:26, Petr Spacek wrote:
> > On 20.1.2016 05:04, Fraser Tweedale wrote:
> > > On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
> > > > On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> > > > > Fraser Tweedale wrote:
> > > > > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > > > > > > On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > > > > > > > The attached patch fixes
> > > > > > > > https://fedorahosted.org/freeipa/ticket/4970.
> > > > > > > > 
> > > > > > > > Note that the problem is addressed by adding the appropriate 
> > > > > > > > request
> > > > > > > > extension to the CSR; the fix does not involve changing the 
> > > > > > > > default
> > > > > > > > profile behaviour, which is complicated (see ticket for 
> > > > > > > > details).
> > > > > > > Thanks for the patch! This is something we should really fix, I 
> > > > > > > already get
> > > > > > > warnings in my Python scripts when I hit sites protected by such 
> > > > > > > HTTPS cert:
> > > > > > > 
> > > > > > > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > > > > > > SubjectAltNameWarning: Certificate for 
> > > > > > > projects.engineering.redhat.com has no
> > > > > > > `subjectAltName`, falling back to check for a `commonName` for 
> > > > > > > now. This
> > > > > > > feature is being removed by major browsers and deprecated by RFC 
> > > > > > > 2818. (See
> > > > > > > https://github.com/shazow/urllib3/issues/497 for details.)
> > > > > > > 
> > > > > > > Should we split ticket 4970, for the FreeIPA server part and then 
> > > > > > > for cert
> > > > > > > profile part? As it looks like the FreeIPA server will be fixed 
> > > > > > > even in FreeIPA
> > > > > > > 4.3.x and the other part later.
> > > > > > > 
> > > > > > > How difficult do you see the general FreeIPA Certificate Profile 
> > > > > > > part of this
> > > > > > > request? Is it a too big task to handle in 4.4 time frame?
> > > > > > > 
> > > > > > I will split the ticket and would suggest 4.4 Backlog - it might be
> > > > > > doable but is a lower priority than e.g. Sub-CAs.
> > > > > If you are going to defer the profile part then you should probably
> > > > > update the client to also include a SAN if --request-cert is provided.
> > > > > 
> > > > > rob
> > > > > 
> > > > Yes, good idea.  Updated patch attached.
> > > > 
> > > > Cheers,
> > > > Fraser
> > > Bump, with rebased patch.
> > Hi,
> > 
> > this seems to work for Apache on IPA server & client cert. ACK.
> Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3
> 
> > 
> > Interestingly enough I found out that Dogtag cert used on port 8443 does not
> > have any SAN.
> > 
> > Is it in scope of this ticket?
> I will leave the ticket open until this is answered.
> 
It's in scope.  Also in scope is to make default profile
automatically add SAN dNSName if none is supplied.

Thanks,
Fraser

> Martin^2
> > 
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2016-07-19 Thread Martin Basti



On 01.07.2016 13:26, Petr Spacek wrote:

On 20.1.2016 05:04, Fraser Tweedale wrote:

On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:

On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:

Fraser Tweedale wrote:

On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:

On 12/07/2015 06:26 AM, Fraser Tweedale wrote:

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/4970.

Note that the problem is addressed by adding the appropriate request
extension to the CSR; the fix does not involve changing the default
profile behaviour, which is complicated (see ticket for details).

Thanks for the patch! This is something we should really fix, I already get
warnings in my Python scripts when I hit sites protected by such HTTPS cert:

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
`subjectAltName`, falling back to check for a `commonName` for now. This
feature is being removed by major browsers and deprecated by RFC 2818. (See
https://github.com/shazow/urllib3/issues/497 for details.)

Should we split ticket 4970, for the FreeIPA server part and then for cert
profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
4.3.x and the other part later.

How difficult do you see the general FreeIPA Certificate Profile part of this
request? Is it a too big task to handle in 4.4 time frame?


I will split the ticket and would suggest 4.4 Backlog - it might be
doable but is a lower priority than e.g. Sub-CAs.

If you are going to defer the profile part then you should probably
update the client to also include a SAN if --request-cert is provided.

rob


Yes, good idea.  Updated patch attached.

Cheers,
Fraser

Bump, with rebased patch.

Hi,

this seems to work for Apache on IPA server & client cert. ACK.

Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3



Interestingly enough I found out that Dogtag cert used on port 8443 does not
have any SAN.

Is it in scope of this ticket?

I will leave the ticket open until this is answered.

Martin^2




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2016-07-01 Thread Petr Spacek
On 20.1.2016 05:04, Fraser Tweedale wrote:
> On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
>> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
>>> Fraser Tweedale wrote:
 On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>> The attached patch fixes
>> https://fedorahosted.org/freeipa/ticket/4970.
>>
>> Note that the problem is addressed by adding the appropriate request
>> extension to the CSR; the fix does not involve changing the default
>> profile behaviour, which is complicated (see ticket for details).
>
> Thanks for the patch! This is something we should really fix, I already 
> get
> warnings in my Python scripts when I hit sites protected by such HTTPS 
> cert:
>
> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com 
> has no
> `subjectAltName`, falling back to check for a `commonName` for now. This
> feature is being removed by major browsers and deprecated by RFC 2818. 
> (See
> https://github.com/shazow/urllib3/issues/497 for details.)
>
> Should we split ticket 4970, for the FreeIPA server part and then for cert
> profile part? As it looks like the FreeIPA server will be fixed even in 
> FreeIPA
> 4.3.x and the other part later.
>
> How difficult do you see the general FreeIPA Certificate Profile part of 
> this
> request? Is it a too big task to handle in 4.4 time frame?
>
 I will split the ticket and would suggest 4.4 Backlog - it might be
 doable but is a lower priority than e.g. Sub-CAs.
>>>
>>> If you are going to defer the profile part then you should probably
>>> update the client to also include a SAN if --request-cert is provided.
>>>
>>> rob
>>>
>> Yes, good idea.  Updated patch attached.
>>
>> Cheers,
>> Fraser
> 
> Bump, with rebased patch.

Hi,

this seems to work for Apache on IPA server & client cert. ACK.

Interestingly enough I found out that Dogtag cert used on port 8443 does not
have any SAN.

Is it in scope of this ticket?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2016-01-19 Thread Fraser Tweedale
On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> > Fraser Tweedale wrote:
> > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > >>> The attached patch fixes
> > >>> https://fedorahosted.org/freeipa/ticket/4970.
> > >>>
> > >>> Note that the problem is addressed by adding the appropriate request
> > >>> extension to the CSR; the fix does not involve changing the default
> > >>> profile behaviour, which is complicated (see ticket for details).
> > >>
> > >> Thanks for the patch! This is something we should really fix, I already 
> > >> get
> > >> warnings in my Python scripts when I hit sites protected by such HTTPS 
> > >> cert:
> > >>
> > >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com 
> > >> has no
> > >> `subjectAltName`, falling back to check for a `commonName` for now. This
> > >> feature is being removed by major browsers and deprecated by RFC 2818. 
> > >> (See
> > >> https://github.com/shazow/urllib3/issues/497 for details.)
> > >>
> > >> Should we split ticket 4970, for the FreeIPA server part and then for 
> > >> cert
> > >> profile part? As it looks like the FreeIPA server will be fixed even in 
> > >> FreeIPA
> > >> 4.3.x and the other part later.
> > >>
> > >> How difficult do you see the general FreeIPA Certificate Profile part of 
> > >> this
> > >> request? Is it a too big task to handle in 4.4 time frame?
> > >>
> > > I will split the ticket and would suggest 4.4 Backlog - it might be
> > > doable but is a lower priority than e.g. Sub-CAs.
> > 
> > If you are going to defer the profile part then you should probably
> > update the client to also include a SAN if --request-cert is provided.
> > 
> > rob
> > 
> Yes, good idea.  Updated patch attached.
> 
> Cheers,
> Fraser

Bump, with rebased patch.
From 51c59430905862ec586661f168ed2a36491d41d4 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server and host certs with DNS altname

Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
 ipa-client/ipa-install/ipa-client-install | 2 +-
 ipapython/certmonger.py   | 9 -
 ipaserver/install/certs.py| 8 ++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..07334df1c00c55629a956af26075871d56a23550
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, 
hostname, options,
 try:
 certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
-subject=subject,
+subject=subject, dns=[hostname],
 principal=principal,
 passwd_fname=passwd_fname)
 except Exception:
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 
f89ca0b7a1cbb9d34b0c044e30e213e7aa1c74fd..06d9bcc151afafdb8d301b25a1893a1c7cf9b569
 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -298,9 +298,14 @@ def add_subject(request_id, subject):
 add_request_value(request_id, 'template-subject', subject)
 
 
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+def request_cert(
+nssdb, nickname, subject, principal, passwd_fname=None,
+dns=None):
 """
 Execute certmonger to request a server certificate.
+
+``dns``
+A sequence of DNS names to appear in SAN request extension.
 """
 cm = _certmonger()
 ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -311,6 +316,8 @@ def request_cert(nssdb, nickname, subject, principal, 
passwd_fname=None):
   KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
   SUBJECT=subject, PRINCIPAL=[principal],
   CA=ca_path)
+if dns is not None and len(dns) > 0:
+request_parameters['DNS'] = dns
 if passwd_fname:
 request_parameters['KEY_PIN_FILE'] = passwd_fname
 result = cm.obj_if.add_request(request_parameters)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 
f74b76090bfe2

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-08 Thread Fraser Tweedale
On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> Fraser Tweedale wrote:
> > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> >>> The attached patch fixes
> >>> https://fedorahosted.org/freeipa/ticket/4970.
> >>>
> >>> Note that the problem is addressed by adding the appropriate request
> >>> extension to the CSR; the fix does not involve changing the default
> >>> profile behaviour, which is complicated (see ticket for details).
> >>
> >> Thanks for the patch! This is something we should really fix, I already get
> >> warnings in my Python scripts when I hit sites protected by such HTTPS 
> >> cert:
> >>
> >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has 
> >> no
> >> `subjectAltName`, falling back to check for a `commonName` for now. This
> >> feature is being removed by major browsers and deprecated by RFC 2818. (See
> >> https://github.com/shazow/urllib3/issues/497 for details.)
> >>
> >> Should we split ticket 4970, for the FreeIPA server part and then for cert
> >> profile part? As it looks like the FreeIPA server will be fixed even in 
> >> FreeIPA
> >> 4.3.x and the other part later.
> >>
> >> How difficult do you see the general FreeIPA Certificate Profile part of 
> >> this
> >> request? Is it a too big task to handle in 4.4 time frame?
> >>
> > I will split the ticket and would suggest 4.4 Backlog - it might be
> > doable but is a lower priority than e.g. Sub-CAs.
> 
> If you are going to defer the profile part then you should probably
> update the client to also include a SAN if --request-cert is provided.
> 
> rob
> 
Yes, good idea.  Updated patch attached.

Cheers,
Fraser
From 72e24bb90fbb331644f0509371872a17f86007cb Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server and host certs with DNS altname

Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
 ipa-client/ipa-install/ipa-client-install | 2 +-
 ipapython/certmonger.py   | 9 -
 ipaserver/install/certs.py| 8 ++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
974dd1da8bf3f5836170ca67d2f4c298e7ec6844..fd273597944b8d07a2c9bdb96f6a32566085747f
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, 
hostname, options,
 try:
 certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
 nickname='Local IPA host',
-subject=subject,
+subject=subject, dns=[hostname],
 principal=principal,
 passwd_fname=passwd_fname)
 except Exception:
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 
2a4e43d3c5d5746134fc5b11a2d01d05f67a2e26..8901d3bb068cc1e0c94ea6c5a093d054ce0557e6
 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -299,9 +299,14 @@ def add_subject(request_id, subject):
 add_request_value(request_id, 'template-subject', subject)
 
 
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+def request_cert(
+nssdb, nickname, subject, principal, passwd_fname=None,
+dns=None):
 """
 Execute certmonger to request a server certificate.
+
+``dns``
+A sequence of DNS names to appear in SAN request extension.
 """
 cm = _certmonger()
 ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -312,6 +317,8 @@ def request_cert(nssdb, nickname, subject, principal, 
passwd_fname=None):
   KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
   SUBJECT=subject, PRINCIPAL=[principal],
   CA=ca_path)
+if dns is not None and len(dns) > 0:
+request_parameters['DNS'] = dns
 if passwd_fname:
 request_parameters['KEY_PIN_FILE'] = passwd_fname
 result = cm.obj_if.add_request(request_parameters)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 
c918791f0be7a17e20123fe6f94c4ac0bbf09d7b..bd1792d32246bc3034c5403f1d868e0966ec0014
 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -335,7 +335,7 @@ class CertDB(object):
 cdb

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-08 Thread Fraser Tweedale
On Tue, Dec 08, 2015 at 09:00:20AM +0100, Martin Kosek wrote:
> On 12/08/2015 02:22 AM, Fraser Tweedale wrote:
> > On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
> >> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> >>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>  The attached patch fixes
>  https://fedorahosted.org/freeipa/ticket/4970.
> 
>  Note that the problem is addressed by adding the appropriate request
>  extension to the CSR; the fix does not involve changing the default
>  profile behaviour, which is complicated (see ticket for details).
> >>>
> >>> Thanks for the patch! This is something we should really fix, I already 
> >>> get
> >>> warnings in my Python scripts when I hit sites protected by such HTTPS 
> >>> cert:
> >>>
> >>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> >>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com 
> >>> has no
> >>> `subjectAltName`, falling back to check for a `commonName` for now. This
> >>> feature is being removed by major browsers and deprecated by RFC 2818. 
> >>> (See
> >>> https://github.com/shazow/urllib3/issues/497 for details.)
> >>>
> >>> Should we split ticket 4970, for the FreeIPA server part and then for cert
> >>> profile part? As it looks like the FreeIPA server will be fixed even in 
> >>> FreeIPA
> >>> 4.3.x and the other part later.
> >>>
> >>> How difficult do you see the general FreeIPA Certificate Profile part of 
> >>> this
> >>> request? Is it a too big task to handle in 4.4 time frame?
> >>>
> >> I will split the ticket and would suggest 4.4 Backlog - it might be
> >> doable but is a lower priority than e.g. Sub-CAs.
> >>
> > PKI ticket: https://fedorahosted.org/pki/ticket/1710
> > IPA tracker: https://fedorahosted.org/freeipa/ticket/5523
> 
> Thanks. I updated the ticket and added more information. I increased priority
> as I do not want us to overlook it, as it has potential to break FreeIPA
> certificates when the major browsers remove support for such certificates. 
> Right?
>
Yes.  With my (updated) patch the IPA HTTP/LDAP certs issued during
ipa-server-install or ipa-replica-prepare and IPA client host certs
issued during ipa-client-install will be OK.  But for service and
host certs issued due to user requests this is the case.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-08 Thread Martin Kosek
On 12/08/2015 02:22 AM, Fraser Tweedale wrote:
> On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
>> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
 The attached patch fixes
 https://fedorahosted.org/freeipa/ticket/4970.

 Note that the problem is addressed by adding the appropriate request
 extension to the CSR; the fix does not involve changing the default
 profile behaviour, which is complicated (see ticket for details).
>>>
>>> Thanks for the patch! This is something we should really fix, I already get
>>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>>>
>>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
>>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has 
>>> no
>>> `subjectAltName`, falling back to check for a `commonName` for now. This
>>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>>> https://github.com/shazow/urllib3/issues/497 for details.)
>>>
>>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>>> profile part? As it looks like the FreeIPA server will be fixed even in 
>>> FreeIPA
>>> 4.3.x and the other part later.
>>>
>>> How difficult do you see the general FreeIPA Certificate Profile part of 
>>> this
>>> request? Is it a too big task to handle in 4.4 time frame?
>>>
>> I will split the ticket and would suggest 4.4 Backlog - it might be
>> doable but is a lower priority than e.g. Sub-CAs.
>>
> PKI ticket: https://fedorahosted.org/pki/ticket/1710
> IPA tracker: https://fedorahosted.org/freeipa/ticket/5523

Thanks. I updated the ticket and added more information. I increased priority
as I do not want us to overlook it, as it has potential to break FreeIPA
certificates when the major browsers remove support for such certificates. 
Right?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-07 Thread Fraser Tweedale
On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > > The attached patch fixes
> > > https://fedorahosted.org/freeipa/ticket/4970.
> > > 
> > > Note that the problem is addressed by adding the appropriate request
> > > extension to the CSR; the fix does not involve changing the default
> > > profile behaviour, which is complicated (see ticket for details).
> > 
> > Thanks for the patch! This is something we should really fix, I already get
> > warnings in my Python scripts when I hit sites protected by such HTTPS cert:
> > 
> > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has 
> > no
> > `subjectAltName`, falling back to check for a `commonName` for now. This
> > feature is being removed by major browsers and deprecated by RFC 2818. (See
> > https://github.com/shazow/urllib3/issues/497 for details.)
> > 
> > Should we split ticket 4970, for the FreeIPA server part and then for cert
> > profile part? As it looks like the FreeIPA server will be fixed even in 
> > FreeIPA
> > 4.3.x and the other part later.
> > 
> > How difficult do you see the general FreeIPA Certificate Profile part of 
> > this
> > request? Is it a too big task to handle in 4.4 time frame?
> >
> I will split the ticket and would suggest 4.4 Backlog - it might be
> doable but is a lower priority than e.g. Sub-CAs.
> 
PKI ticket: https://fedorahosted.org/pki/ticket/1710
IPA tracker: https://fedorahosted.org/freeipa/ticket/5523

> Cheers,
> Fraser
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-07 Thread Rob Crittenden
Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>>> The attached patch fixes
>>> https://fedorahosted.org/freeipa/ticket/4970.
>>>
>>> Note that the problem is addressed by adding the appropriate request
>>> extension to the CSR; the fix does not involve changing the default
>>> profile behaviour, which is complicated (see ticket for details).
>>
>> Thanks for the patch! This is something we should really fix, I already get
>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>>
>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
>> `subjectAltName`, falling back to check for a `commonName` for now. This
>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>> https://github.com/shazow/urllib3/issues/497 for details.)
>>
>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>> profile part? As it looks like the FreeIPA server will be fixed even in 
>> FreeIPA
>> 4.3.x and the other part later.
>>
>> How difficult do you see the general FreeIPA Certificate Profile part of this
>> request? Is it a too big task to handle in 4.4 time frame?
>>
> I will split the ticket and would suggest 4.4 Backlog - it might be
> doable but is a lower priority than e.g. Sub-CAs.

If you are going to defer the profile part then you should probably
update the client to also include a SAN if --request-cert is provided.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-07 Thread Fraser Tweedale
On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > The attached patch fixes
> > https://fedorahosted.org/freeipa/ticket/4970.
> > 
> > Note that the problem is addressed by adding the appropriate request
> > extension to the CSR; the fix does not involve changing the default
> > profile behaviour, which is complicated (see ticket for details).
> 
> Thanks for the patch! This is something we should really fix, I already get
> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
> 
> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
> `subjectAltName`, falling back to check for a `commonName` for now. This
> feature is being removed by major browsers and deprecated by RFC 2818. (See
> https://github.com/shazow/urllib3/issues/497 for details.)
> 
> Should we split ticket 4970, for the FreeIPA server part and then for cert
> profile part? As it looks like the FreeIPA server will be fixed even in 
> FreeIPA
> 4.3.x and the other part later.
> 
> How difficult do you see the general FreeIPA Certificate Profile part of this
> request? Is it a too big task to handle in 4.4 time frame?
>
I will split the ticket and would suggest 4.4 Backlog - it might be
doable but is a lower priority than e.g. Sub-CAs.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-07 Thread Martin Kosek
On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> The attached patch fixes
> https://fedorahosted.org/freeipa/ticket/4970.
> 
> Note that the problem is addressed by adding the appropriate request
> extension to the CSR; the fix does not involve changing the default
> profile behaviour, which is complicated (see ticket for details).

Thanks for the patch! This is something we should really fix, I already get
warnings in my Python scripts when I hit sites protected by such HTTPS cert:

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
`subjectAltName`, falling back to check for a `commonName` for now. This
feature is being removed by major browsers and deprecated by RFC 2818. (See
https://github.com/shazow/urllib3/issues/497 for details.)

Should we split ticket 4970, for the FreeIPA server part and then for cert
profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
4.3.x and the other part later.

How difficult do you see the general FreeIPA Certificate Profile part of this
request? Is it a too big task to handle in 4.4 time frame?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-06 Thread Alexander Bokovoy

On Mon, 07 Dec 2015, Fraser Tweedale wrote:

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/4970.

Note that the problem is addressed by adding the appropriate request
extension to the CSR; the fix does not involve changing the default
profile behaviour, which is complicated (see ticket for details).

LGTM. I haven't tested the patch yet but it does what is explained.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2015-12-06 Thread Fraser Tweedale
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/4970.

Note that the problem is addressed by adding the appropriate request
extension to the CSR; the fix does not involve changing the default
profile behaviour, which is complicated (see ticket for details).

Thanks,
Fraser
From e984b2cbfd419a2a71aa40ba4b42dd29857a66d9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server certs with DNS altname

Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install or replica prepare,
a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger already adds an appropriate request extension when
renewing the certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
 ipaserver/install/certs.py | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 
c918791f0be7a17e20123fe6f94c4ac0bbf09d7b..bd1792d32246bc3034c5403f1d868e0966ec0014
 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -335,7 +335,7 @@ class CertDB(object):
 cdb = self
 if subject is None:
 subject=DN(('CN', hostname), self.subject_base)
-self.request_cert(subject)
+self.request_cert(subject, san_dnsnames=[hostname])
 cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
 self.import_cert(self.certder_fname, nickname)
 fd = open(self.certder_fname, "r")
@@ -359,7 +359,9 @@ class CertDB(object):
 os.unlink(self.certreq_fname)
 os.unlink(self.certder_fname)
 
-def request_cert(self, subject, certtype="rsa", keysize="2048"):
+def request_cert(
+self, subject, certtype="rsa", keysize="2048",
+san_dnsnames=None):
 assert isinstance(subject, DN)
 self.create_noise_file()
 self.setup_cert_request()
@@ -370,6 +372,8 @@ class CertDB(object):
 "-z", self.noise_fname,
 "-f", self.passwd_fname,
 "-a"]
+if san_dnsnames is not None and len(san_dnsnames) > 0:
+args += ['-8', ','.join(san_dnsnames)]
 (stdout, stderr, returncode) = self.run_certutil(args)
 os.remove(self.noise_fname)
 return (stdout, stderr)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code