[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname
Fraser Tweedale
ftweedal at redhat.com
Tue Dec 8 09:06:39 UTC 2015
On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> Fraser Tweedale wrote:
> > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> >>> The attached patch fixes
> >>> https://fedorahosted.org/freeipa/ticket/4970.
> >>>
> >>> Note that the problem is addressed by adding the appropriate request
> >>> extension to the CSR; the fix does not involve changing the default
> >>> profile behaviour, which is complicated (see ticket for details).
> >>
> >> Thanks for the patch! This is something we should really fix, I already get
> >> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
> >>
> >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
> >> `subjectAltName`, falling back to check for a `commonName` for now. This
> >> feature is being removed by major browsers and deprecated by RFC 2818. (See
> >> https://github.com/shazow/urllib3/issues/497 for details.)
> >>
> >> Should we split ticket 4970, for the FreeIPA server part and then for cert
> >> profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
> >> 4.3.x and the other part later.
> >>
> >> How difficult do you see the general FreeIPA Certificate Profile part of this
> >> request? Is it a too big task to handle in 4.4 time frame?
> >>
> > I will split the ticket and would suggest 4.4 Backlog - it might be
> > doable but is a lower priority than e.g. Sub-CAs.
>
> If you are going to defer the profile part then you should probably
> update the client to also include a SAN if --request-cert is provided.
>
> rob
>
Yes, good idea. Updated patch attached.
Cheers,
Fraser
-------------- next part --------------
From 72e24bb90fbb331644f0509371872a17f86007cb Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
ipa-client/ipa-install/ipa-client-install | 2 +-
ipapython/certmonger.py | 9 ++++++++-
ipaserver/install/certs.py | 8 ++++++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 974dd1da8bf3f5836170ca67d2f4c298e7ec6844..fd273597944b8d07a2c9bdb96f6a32566085747f 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
try:
certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
- subject=subject,
+ subject=subject, dns=[hostname],
principal=principal,
passwd_fname=passwd_fname)
except Exception:
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 2a4e43d3c5d5746134fc5b11a2d01d05f67a2e26..8901d3bb068cc1e0c94ea6c5a093d054ce0557e6 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -299,9 +299,14 @@ def add_subject(request_id, subject):
add_request_value(request_id, 'template-subject', subject)
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+def request_cert(
+ nssdb, nickname, subject, principal, passwd_fname=None,
+ dns=None):
"""
Execute certmonger to request a server certificate.
+
+ ``dns``
+ A sequence of DNS names to appear in SAN request extension.
"""
cm = _certmonger()
ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -312,6 +317,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
SUBJECT=subject, PRINCIPAL=[principal],
CA=ca_path)
+ if dns is not None and len(dns) > 0:
+ request_parameters['DNS'] = dns
if passwd_fname:
request_parameters['KEY_PIN_FILE'] = passwd_fname
result = cm.obj_if.add_request(request_parameters)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index c918791f0be7a17e20123fe6f94c4ac0bbf09d7b..bd1792d32246bc3034c5403f1d868e0966ec0014 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -335,7 +335,7 @@ class CertDB(object):
cdb = self
if subject is None:
subject=DN(('CN', hostname), self.subject_base)
- self.request_cert(subject)
+ self.request_cert(subject, san_dnsnames=[hostname])
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
self.import_cert(self.certder_fname, nickname)
fd = open(self.certder_fname, "r")
@@ -359,7 +359,9 @@ class CertDB(object):
os.unlink(self.certreq_fname)
os.unlink(self.certder_fname)
- def request_cert(self, subject, certtype="rsa", keysize="2048"):
+ def request_cert(
+ self, subject, certtype="rsa", keysize="2048",
+ san_dnsnames=None):
assert isinstance(subject, DN)
self.create_noise_file()
self.setup_cert_request()
@@ -370,6 +372,8 @@ class CertDB(object):
"-z", self.noise_fname,
"-f", self.passwd_fname,
"-a"]
+ if san_dnsnames is not None and len(san_dnsnames) > 0:
+ args += ['-8', ','.join(san_dnsnames)]
(stdout, stderr, returncode) = self.run_certutil(args)
os.remove(self.noise_fname)
return (stdout, stderr)
--
2.4.3
More information about the Freeipa-devel
mailing list