<div dir="ltr">Hi Fraser, Martin,<div><br><div>I've got exactly the same problem with no DNS AltName and OU=pki-ipa,O=IPA in the subject.</div><div><br></div><div>### certprofile</div><div><div>$ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert</div><div>-----------------------------------------------------------</div><div>Profile configuration stored in file 'caIPAserviceCert.cfg'</div><div>-----------------------------------------------------------</div><div>  Profile ID: caIPAserviceCert</div><div>  Profile description: Standard profile for network services</div><div>  Store issued certificates: TRUE</div></div><div><br></div><div><br></div><div>### My /etc/pki/pki-tomcat/ca/CS.cfg :</div><div><a href="http://pastebin.com/wnVWH8bq">http://pastebin.com/wnVWH8bq</a><br></div><div><br></div><div>### caIPAserviceCert</div><div>I'd like to send you my caIPAserviceCert.cfg, two of them are present on my system:</div><div><br><div>- /usr/share/ipa/profiles/caIPAserviceCert.cfg : <a href="http://pastebin.com/byddqgSF">http://pastebin.com/byddqgSF</a></div><div>- /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg : <a href="http://pastebin.com/FFUTytDq">http://pastebin.com/FFUTytDq</a></div></div><div><br></div><div>And a diff between them :</div><div><br></div><div><div>$ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg</div><div>1,2d0</div><div>< profileId=caIPAserviceCert</div><div>< classId=caEnrollImpl</div><div>15c13</div><div>< policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11</div><div>---</div><div>> policyset.serverCertSet.list=1,2,3,4,5,6,7,8</div><div>22c20</div><div>< <a href="http://policyset.serverCertSet.1.default.params.name">policyset.serverCertSet.1.default.params.name</a>=CN=$$<a href="http://request.req_subject_name.cn">request.req_subject_name.cn</a>$$, $SUBJECT_DN_O</div><div>---</div><div>> <a href="http://policyset.serverCertSet.1.default.params.name">policyset.serverCertSet.1.default.params.name</a>=CN=$<a href="http://request.req_subject_name.cn">request.req_subject_name.cn</a>$, OU=pki-ipa, O=IPA </div><div>48c46</div><div>< policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp</div><div>---</div><div>> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=</div><div>95,97c93,95</div><div>< policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER</div><div>< policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName</div><div>< policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin</div><div>---</div><div>> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=</div><div>> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=</div><div>> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=<a href="https://ipa.example.com/ipa/crl/MasterCRL.bin">https://ipa.example.com/ipa/crl/MasterCRL.bin</a></div><div>100,109d97</div><div>< policyset.serverCertSet.10.constraint.class_id=noConstraintImpl</div><div>< <a href="http://policyset.serverCertSet.10.constraint.name">policyset.serverCertSet.10.constraint.name</a>=No Constraint</div><div>< policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl</div><div>< <a href="http://policyset.serverCertSet.10.default.name">policyset.serverCertSet.10.default.name</a>=Subject Key Identifier Extension Default</div><div>< policyset.serverCertSet.10.default.params.critical=false</div><div>< policyset.serverCertSet.11.constraint.class_id=noConstraintImpl</div><div>< <a href="http://policyset.serverCertSet.11.constraint.name">policyset.serverCertSet.11.constraint.name</a>=No Constraint</div><div>< policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl</div><div>< <a href="http://policyset.serverCertSet.11.default.name">policyset.serverCertSet.11.default.name</a>=User Supplied Extension Default</div><div>< policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17</div></div><div><br></div><div>Thanks by advance for your support,</div><div>Regards</div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><font face="arial, helvetica, sans-serif"><div><span style="font-family:arial"><font face="arial, helvetica, sans-serif"><div>--</div><div><font color="#666666">Youenn Piolet</font></div><div><font size="1" color="#999999"><a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a></font></div><div style="font-size:large"><span style="font-size:small"><span style="font-family:arial"><div><font face="tahoma, sans-serif"><span style="font-family:arial,verdana,tahoma,sans-serif;font-size:11px"><span style="font-family:tahoma,sans-serif;font-size:small"><font color="#666666"><span style="color:rgb(142,142,142);font-family:arial,verdana,tahoma,sans-serif;font-size:11px"><em><br></em></span></font></span></span></font></div><font color="#8E8E8E" face="arial, verdana, tahoma, sans-serif"></font></span><font color="#8E8E8E" face="arial, verdana, tahoma, sans-serif"></font><font color="#8E8E8E" face="arial, verdana, tahoma, sans-serif"></font></span></div></font></span></div></font></div></div>
<br><div class="gmail_quote">2016-03-31 9:41 GMT+02:00 Fraser Tweedale <span dir="ltr"><<a href="mailto:ftweedal@redhat.com" target="_blank">ftweedal@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:<br>
> Hello,<br>
><br>
> I seem to be having some issues with IPA CA feature not generating<br>
> certificates with DNS SubjectAltNames.<br>
><br>
> I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under<br>
> CentOS 7.2 / IPA 4.2 something's different.<br>
><br>
> Here are the original steps which worked fine for my first use case ::<br>
><br>
> $ ipa dnsrecord-add <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> mail --a-ip=172.17.100.25<br>
> $ ipa host-add <a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a><br>
> $ ipa service-add smtp/<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a><br>
> $ ipa service-add smtp/<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> $ ipa service-add-host smtp/<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a> --hosts=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \<br>
>                       -f /etc/pki/tls/certs/postfix.pem   \<br>
>                       -N CN=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> \<br>
>                       -D <a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a> -D <a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a> \<br>
>                       -K smtp/<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> (and repeat for every next member of the cluster...)<br>
><br>
> After this, I would get certificate with something like ::<br>
> $ sudo ipa-getcert list<br>
> Number of certificates and requests being tracked: 3.<br>
> Request ID '20150419153933':<br>
>       status: MONITORING<br>
>       stuck: no<br>
>       key pair storage:<br>
> type=FILE,location='/etc/pki/tls/private/postfix.key'<br>
>       certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'<br>
>       CA: IPA<br>
>       issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
>       subject: CN=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
>       expires: 2017-04-19 15:39:35 UTC<br>
>       dns: <a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>,<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a><br>
>       principal name: smtp/<a href="mailto:mail1.example.com@EXAMPLE.COM">mail1.example.com@EXAMPLE.COM</a><br>
>       key usage:<br>
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
>       eku: id-kp-serverAuth,id-kp-clientAuth<br>
>       pre-save command: <br>
>       post-save command: <br>
>       track: yes<br>
>       auto-renew: yes<br>
><br>
> with Subject line in form of: 'CN=<hostname>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>' and 'dns'<br>
> info line present.<br>
><br>
> Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm<br>
> getting this ::<br>
><br>
> $ ipa dnsrecord-add <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> w3 --a-ip=172.17.17.80 --a-create-<br>
> reverse<br>
> $ ipa host-add <a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a><br>
> $ ipa service-add HTTP/<a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a><br>
> $ ipa service-add HTTP/<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> $ ipa service-add-host HTTP/<a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a> --hosts=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \<br>
>                       -f /etc/pki/tls/certs/httpd.pem   \<br>
>                       -N CN=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> \<br>
>                       -D <a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a> -D <a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a> \<br>
>                       -K HTTP/<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> $ sudo ipa-getcert list<br>
> Number of certificates and requests being tracked: 3.<br>
> Request ID '20160327095125':<br>
>       status: MONITORING<br>
>       stuck: no<br>
>       key pair storage:<br>
> type=FILE,location='/etc/pki/tls/private/http.key'<br>
>       certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'<br>
>       CA: IPA<br>
>       issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
>       subject: CN=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a>,OU=pki-ipa,O=IPA<br>
>       expires: 2018-03-28 09:51:27 UTC<br>
>       key usage:<br>
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
>       eku: id-kp-serverAuth,id-kp-clientAuth<br>
>       pre-save command: <br>
>       post-save command: <br>
>       track: yes<br>
>       auto-renew: yes<br>
><br>
> Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of<br>
> 'CN=<hostname>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>' and why are DNS SubjectAltNames missing?<br>
><br>
> To be clear, if I don't do ::<br>
> $ ipa service-add-host HTTP/<a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a> --hosts=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
><br>
> then certificate is just not issued with 'REJECTED', but once this is<br>
> done properly in described steps, DNS SANs are not happening.<br>
><br>
> I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only<br>
> against my current IPA 4.2 on CentOS 7.2.<br>
><br>
> For the actual certificates ::<br>
> $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text<br>
> Certificate:<br>
>     Data:<br>
>         Version: 3 (0x2)<br>
>         Serial Number: 15 (0xf)<br>
>     Signature Algorithm: sha256WithRSAEncryption<br>
>         Issuer: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>, CN=Certificate Authority<br>
>         Validity<br>
>             Not Before: Apr 19 15:39:35 2015 GMT<br>
>             Not After : Apr 19 15:39:35 2017 GMT<br>
>         Subject: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>, CN=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
>         Subject Public Key Info:<br>
>             Public Key Algorithm: rsaEncryption<br>
>                 Public-Key: (2048 bit)<br>
>                 Modulus:<br>
>                     [cut]<br>
>                 Exponent: 65537 (0x10001)<br>
>         X509v3 extensions:<br>
>             X509v3 Authority Key Identifier: <br>
>                 keyid:[cut]<br>
><br>
>             Authority Information Access: <br>
>                 OCSP - URI:<a href="http://ipa-ca.example.com/ca/ocsp" rel="noreferrer" target="_blank">http://ipa-ca.example.com/ca/ocsp</a><br>
><br>
>             X509v3 Key Usage: critical<br>
>                 Digital Signature, Non Repudiation, Key Encipherment,<br>
> Data Encipherment<br>
>             X509v3 Extended Key Usage: <br>
>                 TLS Web Server Authentication, TLS Web Client<br>
> Authentication<br>
>             X509v3 CRL Distribution Points: <br>
><br>
>                 Full Name:<br>
>                   URI:<a href="http://ipa-ca.example.com/ipa/crl/MasterCRL.bin" rel="noreferrer" target="_blank">http://ipa-ca.example.com/ipa/crl/MasterCRL.bin</a><br>
>                 CRL Issuer:<br>
>                   DirName: O = ipaca, CN = Certificate Authority<br>
><br>
>             X509v3 Subject Key Identifier: <br>
>                 [cut]<br>
>             X509v3 Subject Alternative Name: <br>
>                 DNS:<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>, DNS:<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a>,<br>
> othername:<unsupported>, othername:<unsupported><br>
>     Signature Algorithm: sha256WithRSAEncryption<br>
>          [cut]<br>
><br>
> vs.<br>
><br>
> $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout<br>
> Certificate:<br>
>     Data:<br>
>         Version: 3 (0x2)<br>
>         Serial Number: 71 (0x47)<br>
>     Signature Algorithm: sha256WithRSAEncryption<br>
>         Issuer: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>, CN=Certificate Authority<br>
>         Validity<br>
>             Not Before: Mar 27 09:51:27 2016 GMT<br>
>             Not After : Mar 28 09:51:27 2018 GMT<br>
>         Subject: O=IPA, OU=pki-ipa, CN=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
>         Subject Public Key Info:<br>
>             Public Key Algorithm: rsaEncryption<br>
>                 Public-Key: (2048 bit)<br>
>                 Modulus:<br>
>                     [cut]<br>
>                 Exponent: 65537 (0x10001)<br>
>         X509v3 extensions:<br>
>             X509v3 Authority Key Identifier: <br>
>                 keyid:[cut]<br>
><br>
>             Authority Information Access: <br>
>                 OCSP - URI:<a href="http://idmc1.example.com:80/ca/ocsp" rel="noreferrer" target="_blank">http://idmc1.example.com:80/ca/ocsp</a><br>
><br>
>             X509v3 Key Usage: critical<br>
>                 Digital Signature, Non Repudiation, Key Encipherment,<br>
> Data Encipherment<br>
>             X509v3 Extended Key Usage: <br>
>                 TLS Web Server Authentication, TLS Web Client<br>
> Authentication<br>
>     Signature Algorithm: sha256WithRSAEncryption<br>
>          [cut]<br>
><br>
> so even reference to CRL is missing here, but OCSP is present.<br>
><br>
><br>
> Sorry if this is duplicate, but from what I was able to find, DNS<br>
> SubjectAltNames are reported working since CentOS 7.1, and I think I'm<br>
> consistent with <a href="http://www.freeipa.org/page/PKI" rel="noreferrer" target="_blank">http://www.freeipa.org/page/PKI</a>, unless I miss something<br>
> obvious here.<br>
><br>
> For new features like certificate profiles and ACLs, I haven't changed<br>
> any defaults as far as I know as there was no need for that.<br>
><br>
><br>
> Thank you for any support in advance! And Happy Easter!<br>
><br>
> Martin<br>
<br>
</div></div>Hi Martin,<br>
<br>
Thanks for the detailed info.  Could you please provide the<br>
Dogtag configuration for the default profile, `caIPAserviceCert'?<br>
<br>
    ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert<br>
<br>
(Then provide the contents of caIPAserviceCert.cfg)<br>
<br>
Could you also provide the contents of file<br>
`/etc/pki/pki-tomcat/ca/CS.cfg'?<br>
<br>
Regards,<br>
Fraser<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project</font></span></blockquote></div><br></div>