<div dir="ltr">Hi Fraser, thanks a lot for your quick reply!<div><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Could you confirm whether you are on RHEL / CentOS 7.2, and if so,<br>
whether it was installed at 7.2 or an upgrade from 7.1 or an earlier<br>
version?<br></blockquote><div><br></div><div>This is a replica that was previously installed in CentOS 7.1.</div><div>I don't exactly remember but I think I used COPR repository to install FreeIPA 4.2 and then upgraded CentOS to 7.2.</div><div><br></div><div>Also, I remember my pki got broken after upgrading this replica in 7.2. I had to renew the replica's certificate and force-sync to successfully launch pki-tomcatd. Now this replica is my pki master.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<span class=""><br>
> ### certprofile<br>
> $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert<br>
> -----------------------------------------------------------<br>
> Profile configuration stored in file 'caIPAserviceCert.cfg'<br>
> -----------------------------------------------------------<br>
> Profile ID: caIPAserviceCert<br>
> Profile description: Standard profile for network services<br>
> Store issued certificates: TRUE<br>
><br>
</span>You do not include the caIPAserviceCert.cfg in the diffs below,<br>
however, I suspect you will find it to be identical to<br>
/usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg. Could you<br>
please confirm this?<br></blockquote><div> </div><div>Ah true... I did not realised I was actually writing a new file! </div><div>And you're right, diff is the same (except 2 profileId/classId lignes that don't exist in template + enableBy that differs)</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem<br>
which stores profile configuration in LDAP. The file output by the<br>
``ipa certprofile-show`` command will have come from LDAP; this is<br>
the version that's actually in use in your IPA installation.<br></blockquote><div><br></div><div>Thanks a lot for your answers.</div><div><br></div><div>So now, what would you suggest me to do?</div><div>Replace my /tmp/caIPAserviceCert.cfg with your suggested values and import to LDAP ?</div><div> </div><div>Cheers,</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">
<br>
> And a diff between them :<br>
><br>
> $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg<br>
> /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg<br>
> 1,2d0<br>
> < profileId=caIPAserviceCert<br>
> < classId=caEnrollImpl<br>
> 15c13<br>
> < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11<br>
> ---<br>
> > policyset.serverCertSet.list=1,2,3,4,5,6,7,8<br>
> 22c20<br>
> < <a href="http://policyset.serverCertSet.1.default.params.name" rel="noreferrer" target="_blank">policyset.serverCertSet.1.default.params.name</a>=CN=$$<br>
> <a href="http://request.req_subject_name.cn" rel="noreferrer" target="_blank">request.req_subject_name.cn</a>$$, $SUBJECT_DN_O<br>
> ---<br>
> > <a href="http://policyset.serverCertSet.1.default.params.name" rel="noreferrer" target="_blank">policyset.serverCertSet.1.default.params.name</a>=CN=$<br>
> <a href="http://request.req_subject_name.cn" rel="noreferrer" target="_blank">request.req_subject_name.cn</a>$, OU=pki-ipa, O=IPA<br>
> 48c46<br>
> <<br>
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://<br>
> $IPA_CA_RECORD.$DOMAIN/ca/ocsp<br>
> ---<br>
> > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=<br>
> 95,97c93,95<br>
> <<br>
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER<br>
> <<br>
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName<br>
> < policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://<br>
> $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin<br>
> ---<br>
> > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=<br>
> > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=<br>
> > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=<br>
> <a href="https://ipa.example.com/ipa/crl/MasterCRL.bin" rel="noreferrer" target="_blank">https://ipa.example.com/ipa/crl/MasterCRL.bin</a><br>
> 100,109d97<br>
> < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl<br>
> < <a href="http://policyset.serverCertSet.10.constraint.name" rel="noreferrer" target="_blank">policyset.serverCertSet.10.constraint.name</a>=No Constraint<br>
> <<br>
> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl<br>
> < <a href="http://policyset.serverCertSet.10.default.name" rel="noreferrer" target="_blank">policyset.serverCertSet.10.default.name</a>=Subject Key Identifier Extension<br>
> Default<br>
> < policyset.serverCertSet.10.default.params.critical=false<br>
> < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl<br>
> < <a href="http://policyset.serverCertSet.11.constraint.name" rel="noreferrer" target="_blank">policyset.serverCertSet.11.constraint.name</a>=No Constraint<br>
> < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl<br>
> < <a href="http://policyset.serverCertSet.11.default.name" rel="noreferrer" target="_blank">policyset.serverCertSet.11.default.name</a>=User Supplied Extension Default<br>
> < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17<br>
><br>
> Thanks by advance for your support,<br>
> Regards<br>
><br>
> --<br>
> Youenn Piolet<br>
> <a href="mailto:piolet.y@gmail.com">piolet.y@gmail.com</a><br>
><br>
><br>
> 2016-03-31 9:41 GMT+02:00 Fraser Tweedale <<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a>>:<br>
><br>
> > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:<br>
> > > Hello,<br>
> > ><br>
> > > I seem to be having some issues with IPA CA feature not generating<br>
> > > certificates with DNS SubjectAltNames.<br>
> > ><br>
> > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under<br>
> > > CentOS 7.2 / IPA 4.2 something's different.<br>
> > ><br>
> > > Here are the original steps which worked fine for my first use case ::<br>
> > ><br>
> > > $ ipa dnsrecord-add <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> mail --a-ip=172.17.100.25<br>
> > > $ ipa host-add <a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a><br>
> > > $ ipa service-add smtp/<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a><br>
> > > $ ipa service-add smtp/<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> > > $ ipa service-add-host smtp/<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a> --hosts=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \<br>
> > > -f /etc/pki/tls/certs/postfix.pem \<br>
> > > -N CN=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> \<br>
> > > -D <a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a> -D <a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a> \<br>
> > > -K smtp/<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> > > (and repeat for every next member of the cluster...)<br>
> > ><br>
> > > After this, I would get certificate with something like ::<br>
> > > $ sudo ipa-getcert list<br>
> > > Number of certificates and requests being tracked: 3.<br>
> > > Request ID '20150419153933':<br>
> > > status: MONITORING<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > > type=FILE,location='/etc/pki/tls/private/postfix.key'<br>
> > > certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
> > > subject: CN=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
> > > expires: 2017-04-19 15:39:35 UTC<br>
> > > dns: <a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>,<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a><br>
> > > principal name: smtp/<a href="mailto:mail1.example.com@EXAMPLE.COM">mail1.example.com@EXAMPLE.COM</a><br>
> > > key usage:<br>
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > ><br>
> > > with Subject line in form of: 'CN=<hostname>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>' and 'dns'<br>
> > > info line present.<br>
> > ><br>
> > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm<br>
> > > getting this ::<br>
> > ><br>
> > > $ ipa dnsrecord-add <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> w3 --a-ip=172.17.17.80 --a-create-<br>
> > > reverse<br>
> > > $ ipa host-add <a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a><br>
> > > $ ipa service-add HTTP/<a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a><br>
> > > $ ipa service-add HTTP/<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> > > $ ipa service-add-host HTTP/<a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a> --hosts=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \<br>
> > > -f /etc/pki/tls/certs/httpd.pem \<br>
> > > -N CN=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> \<br>
> > > -D <a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a> -D <a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a> \<br>
> > > -K HTTP/<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> > > $ sudo ipa-getcert list<br>
> > > Number of certificates and requests being tracked: 3.<br>
> > > Request ID '20160327095125':<br>
> > > status: MONITORING<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > > type=FILE,location='/etc/pki/tls/private/http.key'<br>
> > > certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
> > > subject: CN=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a>,OU=pki-ipa,O=IPA<br>
> > > expires: 2018-03-28 09:51:27 UTC<br>
> > > key usage:<br>
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > ><br>
> > > Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of<br>
> > > 'CN=<hostname>,O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>' and why are DNS SubjectAltNames missing?<br>
> > ><br>
> > > To be clear, if I don't do ::<br>
> > > $ ipa service-add-host HTTP/<a href="http://w3.example.com" rel="noreferrer" target="_blank">w3.example.com</a> --hosts=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> > ><br>
> > > then certificate is just not issued with 'REJECTED', but once this is<br>
> > > done properly in described steps, DNS SANs are not happening.<br>
> > ><br>
> > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only<br>
> > > against my current IPA 4.2 on CentOS 7.2.<br>
> > ><br>
> > > For the actual certificates ::<br>
> > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text<br>
> > > Certificate:<br>
> > > Data:<br>
> > > Version: 3 (0x2)<br>
> > > Serial Number: 15 (0xf)<br>
> > > Signature Algorithm: sha256WithRSAEncryption<br>
> > > Issuer: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>, CN=Certificate Authority<br>
> > > Validity<br>
> > > Not Before: Apr 19 15:39:35 2015 GMT<br>
> > > Not After : Apr 19 15:39:35 2017 GMT<br>
> > > Subject: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>, CN=<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a><br>
> > > Subject Public Key Info:<br>
> > > Public Key Algorithm: rsaEncryption<br>
> > > Public-Key: (2048 bit)<br>
> > > Modulus:<br>
> > > [cut]<br>
> > > Exponent: 65537 (0x10001)<br>
> > > X509v3 extensions:<br>
> > > X509v3 Authority Key Identifier:<br>
> > > keyid:[cut]<br>
> > ><br>
> > > Authority Information Access:<br>
> > > OCSP - URI:<a href="http://ipa-ca.example.com/ca/ocsp" rel="noreferrer" target="_blank">http://ipa-ca.example.com/ca/ocsp</a><br>
> > ><br>
> > > X509v3 Key Usage: critical<br>
> > > Digital Signature, Non Repudiation, Key Encipherment,<br>
> > > Data Encipherment<br>
> > > X509v3 Extended Key Usage:<br>
> > > TLS Web Server Authentication, TLS Web Client<br>
> > > Authentication<br>
> > > X509v3 CRL Distribution Points:<br>
> > ><br>
> > > Full Name:<br>
> > > URI:<a href="http://ipa-ca.example.com/ipa/crl/MasterCRL.bin" rel="noreferrer" target="_blank">http://ipa-ca.example.com/ipa/crl/MasterCRL.bin</a><br>
> > > CRL Issuer:<br>
> > > DirName: O = ipaca, CN = Certificate Authority<br>
> > ><br>
> > > X509v3 Subject Key Identifier:<br>
> > > [cut]<br>
> > > X509v3 Subject Alternative Name:<br>
> > > DNS:<a href="http://mail1.example.com" rel="noreferrer" target="_blank">mail1.example.com</a>, DNS:<a href="http://mail.example.com" rel="noreferrer" target="_blank">mail.example.com</a>,<br>
> > > othername:<unsupported>, othername:<unsupported><br>
> > > Signature Algorithm: sha256WithRSAEncryption<br>
> > > [cut]<br>
> > ><br>
> > > vs.<br>
> > ><br>
> > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout<br>
> > > Certificate:<br>
> > > Data:<br>
> > > Version: 3 (0x2)<br>
> > > Serial Number: 71 (0x47)<br>
> > > Signature Algorithm: sha256WithRSAEncryption<br>
> > > Issuer: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a>, CN=Certificate Authority<br>
> > > Validity<br>
> > > Not Before: Mar 27 09:51:27 2016 GMT<br>
> > > Not After : Mar 28 09:51:27 2018 GMT<br>
> > > Subject: O=IPA, OU=pki-ipa, CN=<a href="http://http1.example.com" rel="noreferrer" target="_blank">http1.example.com</a><br>
> > > Subject Public Key Info:<br>
> > > Public Key Algorithm: rsaEncryption<br>
> > > Public-Key: (2048 bit)<br>
> > > Modulus:<br>
> > > [cut]<br>
> > > Exponent: 65537 (0x10001)<br>
> > > X509v3 extensions:<br>
> > > X509v3 Authority Key Identifier:<br>
> > > keyid:[cut]<br>
> > ><br>
> > > Authority Information Access:<br>
> > > OCSP - URI:<a href="http://idmc1.example.com:80/ca/ocsp" rel="noreferrer" target="_blank">http://idmc1.example.com:80/ca/ocsp</a><br>
> > ><br>
> > > X509v3 Key Usage: critical<br>
> > > Digital Signature, Non Repudiation, Key Encipherment,<br>
> > > Data Encipherment<br>
> > > X509v3 Extended Key Usage:<br>
> > > TLS Web Server Authentication, TLS Web Client<br>
> > > Authentication<br>
> > > Signature Algorithm: sha256WithRSAEncryption<br>
> > > [cut]<br>
> > ><br>
> > > so even reference to CRL is missing here, but OCSP is present.<br>
> > ><br>
> > ><br>
> > > Sorry if this is duplicate, but from what I was able to find, DNS<br>
> > > SubjectAltNames are reported working since CentOS 7.1, and I think I'm<br>
> > > consistent with <a href="http://www.freeipa.org/page/PKI" rel="noreferrer" target="_blank">http://www.freeipa.org/page/PKI</a>, unless I miss something<br>
> > > obvious here.<br>
> > ><br>
> > > For new features like certificate profiles and ACLs, I haven't changed<br>
> > > any defaults as far as I know as there was no need for that.<br>
> > ><br>
> > ><br>
> > > Thank you for any support in advance! And Happy Easter!<br>
> > ><br>
> > > Martin<br>
> ><br>
> > Hi Martin,<br>
> ><br>
> > Thanks for the detailed info. Could you please provide the<br>
> > Dogtag configuration for the default profile, `caIPAserviceCert'?<br>
> ><br>
> > ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert<br>
> ><br>
> > (Then provide the contents of caIPAserviceCert.cfg)<br>
> ><br>
> > Could you also provide the contents of file<br>
> > `/etc/pki/pki-tomcat/ca/CS.cfg'?<br>
> ><br>
> > Regards,<br>
> > Fraser<br>
> ><br>
> > --<br>
> > Manage your subscription for the Freeipa-users mailing list:<br>
> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
</div></div></blockquote></div><br></div></div></div>