[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

Fraser Tweedale ftweedal at redhat.com
Mon Dec 7 05:26:11 UTC 2015 

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/4970.

Note that the problem is addressed by adding the appropriate request
extension to the CSR; the fix does not involve changing the default
profile behaviour, which is complicated (see ticket for details).

Thanks,
Fraser
-------------- next part --------------
From e984b2cbfd419a2a71aa40ba4b42dd29857a66d9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server certs with DNS altname

Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install or replica prepare,
a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger already adds an appropriate request extension when
renewing the certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
 ipaserver/install/certs.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index c918791f0be7a17e20123fe6f94c4ac0bbf09d7b..bd1792d32246bc3034c5403f1d868e0966ec0014 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -335,7 +335,7 @@ class CertDB(object):
             cdb = self
         if subject is None:
             subject=DN(('CN', hostname), self.subject_base)
-        self.request_cert(subject)
+        self.request_cert(subject, san_dnsnames=[hostname])
         cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
         self.import_cert(self.certder_fname, nickname)
         fd = open(self.certder_fname, "r")
@@ -359,7 +359,9 @@ class CertDB(object):
         os.unlink(self.certreq_fname)
         os.unlink(self.certder_fname)
 
-    def request_cert(self, subject, certtype="rsa", keysize="2048"):
+    def request_cert(
+            self, subject, certtype="rsa", keysize="2048",
+            san_dnsnames=None):
         assert isinstance(subject, DN)
         self.create_noise_file()
         self.setup_cert_request()
@@ -370,6 +372,8 @@ class CertDB(object):
                 "-z", self.noise_fname,
                 "-f", self.passwd_fname,
                 "-a"]
+        if san_dnsnames is not None and len(san_dnsnames) > 0:
+            args += ['-8', ','.join(san_dnsnames)]
         (stdout, stderr, returncode) = self.run_certutil(args)
         os.remove(self.noise_fname)
         return (stdout, stderr)
-- 
2.4.3

More information about the Freeipa-devel mailing list