[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

[Martin Kosek]

On 12/08/2015 02:22 AM, Fraser Tweedale wrote:
> On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
>> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>>>> The attached patch fixes
>>>> https://fedorahosted.org/freeipa/ticket/4970.
>>>>
>>>> Note that the problem is addressed by adding the appropriate request
>>>> extension to the CSR; the fix does not involve changing the default
>>>> profile behaviour, which is complicated (see ticket for details).
>>>
>>> Thanks for the patch! This is something we should really fix, I already get
>>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>>>
>>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
>>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
>>> `subjectAltName`, falling back to check for a `commonName` for now. This
>>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>>> https://github.com/shazow/urllib3/issues/497 for details.)
>>>
>>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>>> profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
>>> 4.3.x and the other part later.
>>>
>>> How difficult do you see the general FreeIPA Certificate Profile part of this
>>> request? Is it a too big task to handle in 4.4 time frame?
>>>
>> I will split the ticket and would suggest 4.4 Backlog - it might be
>> doable but is a lower priority than e.g. Sub-CAs.
>>
> PKI ticket: https://fedorahosted.org/pki/ticket/1710
> IPA tracker: https://fedorahosted.org/freeipa/ticket/5523

Thanks. I updated the ticket and added more information. I increased priority
as I do not want us to overlook it, as it has potential to break FreeIPA
certificates when the major browsers remove support for such certificates. Right?