[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname
Petr Spacek
pspacek at redhat.com
Fri Jul 1 11:26:42 UTC 2016
On 20.1.2016 05:04, Fraser Tweedale wrote:
> On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
>> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
>>> Fraser Tweedale wrote:
>>>> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>>>>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>>>>>> The attached patch fixes
>>>>>> https://fedorahosted.org/freeipa/ticket/4970.
>>>>>>
>>>>>> Note that the problem is addressed by adding the appropriate request
>>>>>> extension to the CSR; the fix does not involve changing the default
>>>>>> profile behaviour, which is complicated (see ticket for details).
>>>>>
>>>>> Thanks for the patch! This is something we should really fix, I already get
>>>>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>>>>>
>>>>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
>>>>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
>>>>> `subjectAltName`, falling back to check for a `commonName` for now. This
>>>>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>>>>> https://github.com/shazow/urllib3/issues/497 for details.)
>>>>>
>>>>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>>>>> profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
>>>>> 4.3.x and the other part later.
>>>>>
>>>>> How difficult do you see the general FreeIPA Certificate Profile part of this
>>>>> request? Is it a too big task to handle in 4.4 time frame?
>>>>>
>>>> I will split the ticket and would suggest 4.4 Backlog - it might be
>>>> doable but is a lower priority than e.g. Sub-CAs.
>>>
>>> If you are going to defer the profile part then you should probably
>>> update the client to also include a SAN if --request-cert is provided.
>>>
>>> rob
>>>
>> Yes, good idea. Updated patch attached.
>>
>> Cheers,
>> Fraser
>
> Bump, with rebased patch.
Hi,
this seems to work for Apache on IPA server & client cert. ACK.
Interestingly enough I found out that Dogtag cert used on port 8443 does not
have any SAN.
Is it in scope of this ticket?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list