[Freeipa-users] DNS SubjectAltName missing in provisioned certificates

Martin Štefany martin at stefany.eu
Sun Mar 27 19:14:47 UTC 2016 

Hello,

I seem to be having some issues with IPA CA feature not generating
certificates with DNS SubjectAltNames.

I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
CentOS 7.2 / IPA 4.2 something's different.

Here are the original steps which worked fine for my first use case ::

$ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
$ ipa host-add mail.example.com
$ ipa service-add smtp/mail.example.com
$ ipa service-add smtp/mail1.example.com
$ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
$ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
                      -f /etc/pki/tls/certs/postfix.pem   \
                      -N CN=mail1.example.com,O=EXAMPLE.COM \
                      -D mail1.example.com -D mail.example.com \
                      -K smtp/mail1.example.com
(and repeat for every next member of the cluster...)

After this, I would get certificate with something like ::
$ sudo ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20150419153933':
	status: MONITORING
	stuck: no
	key pair storage:
type=FILE,location='/etc/pki/tls/private/postfix.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=mail1.example.com,O=EXAMPLE.COM
	expires: 2017-04-19 15:39:35 UTC
	dns: mail1.example.com,mail.example.com
	principal name: smtp/mail1.example.com at EXAMPLE.COM
	key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

with Subject line in form of: 'CN=<hostname>,O=EXAMPLE.COM' and 'dns'
info line present.

Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm
getting this ::

$ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create-
reverse
$ ipa host-add w3.example.com
$ ipa service-add HTTP/w3.example.com
$ ipa service-add HTTP/http1.example.com
$ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
$ ipa-getcert request -k /etc/pki/tls/private/httpd.key \
                      -f /etc/pki/tls/certs/httpd.pem   \
                      -N CN=http1.example.com,O=EXAMPLE.COM \
                      -D http1.example.com -D w3.example.com \
                      -K HTTP/http1.example.com
$ sudo ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20160327095125':
	status: MONITORING
	stuck: no
	key pair storage:
type=FILE,location='/etc/pki/tls/private/http.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=http1.example.com,OU=pki-ipa,O=IPA
	expires: 2018-03-28 09:51:27 UTC
	key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of
'CN=<hostname>,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing?

To be clear, if I don't do ::
$ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com

then certificate is just not issued with 'REJECTED', but once this is
done properly in described steps, DNS SANs are not happening.

I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only
against my current IPA 4.2 on CentOS 7.2.

For the actual certificates ::
$ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE.COM, CN=Certificate Authority
        Validity
            Not Before: Apr 19 15:39:35 2015 GMT
            Not After : Apr 19 15:39:35 2017 GMT
        Subject: O=EXAMPLE.COM, CN=mail1.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [cut]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:[cut]

            Authority Information Access: 
                OCSP - URI:http://ipa-ca.example.com/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client
Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier: 
                [cut]
            X509v3 Subject Alternative Name: 
                DNS:mail1.example.com, DNS:mail.example.com,
othername:<unsupported>, othername:<unsupported>
    Signature Algorithm: sha256WithRSAEncryption
         [cut]

vs.

$ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 71 (0x47)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE.COM, CN=Certificate Authority
        Validity
            Not Before: Mar 27 09:51:27 2016 GMT
            Not After : Mar 28 09:51:27 2018 GMT
        Subject: O=IPA, OU=pki-ipa, CN=http1.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [cut]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:[cut]

            Authority Information Access: 
                OCSP - URI:http://idmc1.example.com:80/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client
Authentication
    Signature Algorithm: sha256WithRSAEncryption
         [cut]

so even reference to CRL is missing here, but OCSP is present.


Sorry if this is duplicate, but from what I was able to find, DNS
SubjectAltNames are reported working since CentOS 7.1, and I think I'm
consistent with http://www.freeipa.org/page/PKI, unless I miss something
obvious here.

For new features like certificate profiles and ACLs, I haven't changed
any defaults as far as I know as there was no need for that.


Thank you for any support in advance! And Happy Easter!

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160327/4b659d58/attachment.sig>

More information about the Freeipa-users mailing list