[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname
Fraser Tweedale
ftweedal at redhat.com
Wed Jan 20 04:04:09 UTC 2016
On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
> > Fraser Tweedale wrote:
> > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > >>> The attached patch fixes
> > >>> https://fedorahosted.org/freeipa/ticket/4970.
> > >>>
> > >>> Note that the problem is addressed by adding the appropriate request
> > >>> extension to the CSR; the fix does not involve changing the default
> > >>> profile behaviour, which is complicated (see ticket for details).
> > >>
> > >> Thanks for the patch! This is something we should really fix, I already get
> > >> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
> > >>
> > >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
> > >> `subjectAltName`, falling back to check for a `commonName` for now. This
> > >> feature is being removed by major browsers and deprecated by RFC 2818. (See
> > >> https://github.com/shazow/urllib3/issues/497 for details.)
> > >>
> > >> Should we split ticket 4970, for the FreeIPA server part and then for cert
> > >> profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
> > >> 4.3.x and the other part later.
> > >>
> > >> How difficult do you see the general FreeIPA Certificate Profile part of this
> > >> request? Is it a too big task to handle in 4.4 time frame?
> > >>
> > > I will split the ticket and would suggest 4.4 Backlog - it might be
> > > doable but is a lower priority than e.g. Sub-CAs.
> >
> > If you are going to defer the profile part then you should probably
> > update the client to also include a SAN if --request-cert is provided.
> >
> > rob
> >
> Yes, good idea. Updated patch attached.
>
> Cheers,
> Fraser
Bump, with rebased patch.
-------------- next part --------------
From 51c59430905862ec586661f168ed2a36491d41d4 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 7 Dec 2015 16:14:28 +1100
Subject: [PATCH] Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
---
ipa-client/ipa-install/ipa-client-install | 2 +-
ipapython/certmonger.py | 9 ++++++++-
ipaserver/install/certs.py | 8 ++++++--
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..07334df1c00c55629a956af26075871d56a23550 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
try:
certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
nickname='Local IPA host',
- subject=subject,
+ subject=subject, dns=[hostname],
principal=principal,
passwd_fname=passwd_fname)
except Exception:
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index f89ca0b7a1cbb9d34b0c044e30e213e7aa1c74fd..06d9bcc151afafdb8d301b25a1893a1c7cf9b569 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -298,9 +298,14 @@ def add_subject(request_id, subject):
add_request_value(request_id, 'template-subject', subject)
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+def request_cert(
+ nssdb, nickname, subject, principal, passwd_fname=None,
+ dns=None):
"""
Execute certmonger to request a server certificate.
+
+ ``dns``
+ A sequence of DNS names to appear in SAN request extension.
"""
cm = _certmonger()
ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -311,6 +316,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
SUBJECT=subject, PRINCIPAL=[principal],
CA=ca_path)
+ if dns is not None and len(dns) > 0:
+ request_parameters['DNS'] = dns
if passwd_fname:
request_parameters['KEY_PIN_FILE'] = passwd_fname
result = cm.obj_if.add_request(request_parameters)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f74b76090bfe2670a998373e3c7cdc3c5727c465..8a229587bb537fc8912f3a1823c05ab6f962f45a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -336,7 +336,7 @@ class CertDB(object):
cdb = self
if subject is None:
subject=DN(('CN', hostname), self.subject_base)
- self.request_cert(subject)
+ self.request_cert(subject, san_dnsnames=[hostname])
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
self.import_cert(self.certder_fname, nickname)
fd = open(self.certder_fname, "r")
@@ -360,7 +360,9 @@ class CertDB(object):
os.unlink(self.certreq_fname)
os.unlink(self.certder_fname)
- def request_cert(self, subject, certtype="rsa", keysize="2048"):
+ def request_cert(
+ self, subject, certtype="rsa", keysize="2048",
+ san_dnsnames=None):
assert isinstance(subject, DN)
self.create_noise_file()
self.setup_cert_request()
@@ -371,6 +373,8 @@ class CertDB(object):
"-z", self.noise_fname,
"-f", self.passwd_fname,
"-a"]
+ if san_dnsnames is not None and len(san_dnsnames) > 0:
+ args += ['-8', ','.join(san_dnsnames)]
result = self.run_certutil(args,
capture_output=True, capture_error=True)
os.remove(self.noise_fname)
--
2.5.0
More information about the Freeipa-devel
mailing list