[Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname
Martin Basti
mbasti at redhat.com
Tue Jul 19 12:21:05 UTC 2016
On 01.07.2016 13:26, Petr Spacek wrote:
> On 20.1.2016 05:04, Fraser Tweedale wrote:
>> On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote:
>>> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote:
>>>> Fraser Tweedale wrote:
>>>>> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>>>>>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>>>>>>> The attached patch fixes
>>>>>>> https://fedorahosted.org/freeipa/ticket/4970.
>>>>>>>
>>>>>>> Note that the problem is addressed by adding the appropriate request
>>>>>>> extension to the CSR; the fix does not involve changing the default
>>>>>>> profile behaviour, which is complicated (see ticket for details).
>>>>>> Thanks for the patch! This is something we should really fix, I already get
>>>>>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>>>>>>
>>>>>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
>>>>>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
>>>>>> `subjectAltName`, falling back to check for a `commonName` for now. This
>>>>>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>>>>>> https://github.com/shazow/urllib3/issues/497 for details.)
>>>>>>
>>>>>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>>>>>> profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
>>>>>> 4.3.x and the other part later.
>>>>>>
>>>>>> How difficult do you see the general FreeIPA Certificate Profile part of this
>>>>>> request? Is it a too big task to handle in 4.4 time frame?
>>>>>>
>>>>> I will split the ticket and would suggest 4.4 Backlog - it might be
>>>>> doable but is a lower priority than e.g. Sub-CAs.
>>>> If you are going to defer the profile part then you should probably
>>>> update the client to also include a SAN if --request-cert is provided.
>>>>
>>>> rob
>>>>
>>> Yes, good idea. Updated patch attached.
>>>
>>> Cheers,
>>> Fraser
>> Bump, with rebased patch.
> Hi,
>
> this seems to work for Apache on IPA server & client cert. ACK.
Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3
>
> Interestingly enough I found out that Dogtag cert used on port 8443 does not
> have any SAN.
>
> Is it in scope of this ticket?
I will leave the ticket open until this is answered.
Martin^2
>
More information about the Freeipa-devel
mailing list