diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-12-07 16:14:28 +1100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-07-19 14:18:04 +0200 |
commit | b12db924143cd6828c596c0b8a261325f3f589f3 (patch) | |
tree | 5b004b8f20fb6e553bfc9ae8df32ae8dc01f8c86 /client/ipa-client-install | |
parent | b144bf527db76573590255d4ac80e9dfd813ba3d (diff) | |
download | freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.tar.gz freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.tar.xz freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.zip |
Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'client/ipa-client-install')
-rwxr-xr-x | client/ipa-client-install | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/client/ipa-client-install b/client/ipa-client-install index 8546ff8b0..3c323173c 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1170,7 +1170,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, try: certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, nickname='Local IPA host', - subject=subject, + subject=subject, dns=[hostname], principal=principal, passwd_fname=passwd_fname) except Exception as ex: |