Bug 1445927

Summary: IPA certificate not accepted by recent Chrome
Product: [Fedora] Fedora Reporter: Tomasz Torcz <tomek>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: abokovoy, ipa-maint, jcholast, jhrozek, pioto, pvoborni, rcritten, ssorce, tkrizek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-12 16:19:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomasz Torcz 2017-04-26 19:54:05 UTC 
Description of problem:
Recently, Chromium started to complain about web certificate on IPA server. Error NET::ERR_CERT_COMMON_NAME_INVALID talks about [missing_subjectAltName].
It was working correctly since recently. IPA CA certificate is added to system trust database.

Similar issue was reported to the mailing list recently:
https://www.redhat.com/archives/freeipa-users/2017-April/msg00195.html

Version-Release number of selected component (if applicable):
freeipa-server-4.4.4-1.fc26.x86_64
google-chrome-stable-58.0.3029.81-1.x86_64
Comment 1 Mike Kelly 2017-05-04 18:47:39 UTC 
A workaround exists via Chrome policies:

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

For example, on macOS:

defaults write com.google.Chrome EnableCommonNameFallbackForLocalAnchors -boolean TRUE
Comment 2 Petr Vobornik 2017-05-12 16:19:53 UTC 

*** This bug has been marked as a duplicate of bug 1445345 ***