diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-12-07 16:14:28 +1100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-07-19 14:18:04 +0200 |
| commit | b12db924143cd6828c596c0b8a261325f3f589f3 (patch) | |
| tree | 5b004b8f20fb6e553bfc9ae8df32ae8dc01f8c86 /ipaserver | |
| parent | b144bf527db76573590255d4ac80e9dfd813ba3d (diff) | |
| download | freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.tar.gz freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.tar.xz freeipa-b12db924143cd6828c596c0b8a261325f3f589f3.zip | |
Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/certs.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index b3d273ff1..9eaec7330 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -332,7 +332,7 @@ class CertDB(object): cdb = self if subject is None: subject=DN(('CN', hostname), self.subject_base) - self.request_cert(subject) + self.request_cert(subject, san_dnsnames=[hostname]) cdb.issue_server_cert(self.certreq_fname, self.certder_fname) self.import_cert(self.certder_fname, nickname) fd = open(self.certder_fname, "r") @@ -356,7 +356,9 @@ class CertDB(object): os.unlink(self.certreq_fname) os.unlink(self.certder_fname) - def request_cert(self, subject, certtype="rsa", keysize="2048"): + def request_cert( + self, subject, certtype="rsa", keysize="2048", + san_dnsnames=None): assert isinstance(subject, DN) self.create_noise_file() self.setup_cert_request() @@ -367,6 +369,8 @@ class CertDB(object): "-z", self.noise_fname, "-f", self.passwd_fname, "-a"] + if san_dnsnames is not None and len(san_dnsnames) > 0: + args += ['-8', ','.join(san_dnsnames)] result = self.run_certutil(args, capture_output=True, capture_error=True) os.remove(self.noise_fname) |