Create server and host certs with DNS altname

Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>

1 files changed, 8 insertions, 1 deletions

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index db0360fce..1f22fee3d 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -297,9 +297,14 @@ def add_subject(request_id, subject):
     add_request_value(request_id, 'template-subject', subject)
 
 
-def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
+def request_cert(
+        nssdb, nickname, subject, principal, passwd_fname=None,
+        dns=None):
     """
     Execute certmonger to request a server certificate.
+
+    ``dns``
+        A sequence of DNS names to appear in SAN request extension.
     """
     cm = _certmonger()
     ca_path = cm.obj_if.find_ca_by_nickname('IPA')
@@ -310,6 +315,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
                               KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
                               SUBJECT=subject, PRINCIPAL=[principal],
                               CA=ca_path)
+    if dns is not None and len(dns) > 0:
+        request_parameters['DNS'] = dns
     if passwd_fname:
         request_parameters['KEY_PIN_FILE'] = passwd_fname
     result = cm.obj_if.add_request(request_parameters)