Bug 1445345

Summary: Backport patch to add SAN extension into certificates
Product: [Fedora] Fedora Reporter: Martin Bašti <mbasti>
Component: freeipaAssignee: Tomas Krizek <tkrizek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: abokovoy, ipa-maint, jcholast, jhrozek, mbasti, pasteur, pvoborni, rcritten, ssorce, tkrizek, tomek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-17 08:22:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Bašti 2017-04-25 13:54:42 UTC 
Fix from ticket https://pagure.io/freeipa/issue/4970 must be backported to fedora 25 and 26, because chrome stops supporting certificates without SAN
Comment 1 Petr Vobornik 2017-05-12 16:18:12 UTC 
Backporting the patch will solve only new installs but it won't update existing installations.

Martin, could you provide a command which will renew the cert with the required extensions.
Comment 2 Petr Vobornik 2017-05-12 16:19:53 UTC 
*** Bug 1445927 has been marked as a duplicate of this bug. ***
Comment 3 Martin Bašti 2017-05-15 07:52:31 UTC 
Please follow steps in following email https://www.redhat.com/archives/freeipa-users/2017-April/msg00197.html to renew certificate with SAN extension
Comment 4 Petr Vobornik 2017-05-15 07:56:12 UTC 
Then Marco Rhodes transformed it into a simple Ansible playbook:

- name: add SAN extension to IPA Apache SSL certificates
  hosts: ipa_v4
  gather_facts: no

  tasks:
  - name: certmonger - resubmit Apache SSL CSR with SAN extension
    shell: getcert resubmit -d /etc/httpd/alias -n 'Server-Cert' -D `hostname -f` -w -v
    become: true
    register: resubmit_result
  - debug: var=resubmit_result.stdout_lines
  - name: certmonger - list tracking status for Apache SSL certificate
    shell: getcert list -d /etc/httpd/alias/ -n 'Server-Cert'  |egrep " ID|status:|stuck:|certificate:|expires:"
    become: true
    register: list_result
  - debug: var=list_result.stdout_lines
Comment 5 Tomas Krizek 2017-05-17 08:22:24 UTC 
This has been fixed since IPA 4.4.1.

https://pagure.io/freeipa/c/b12db924143cd6828c596c0b8a261325f3f589f3