Bug 1477046
| Summary: | Use CommonNameToSANDefault in default profile (new installs only) [rhel-7.4.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | akasurde, ftweedal, ipa-maint, ksiddiqu, ndehadra, pvoborni, pvomacka, rcritten, toneata, tscherf |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-21.el7.1.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Previously, server certificates issued by IdM listed DNS naming information only in the Common Name (CN) field. However, recent web browsers have started to ignore CN in favor of the Subject Alt Name (SAN) extension. Consequently, these browsers did not recognize the certificates as valid. With this update, the CommonNameToSANDefault profile component has been added to the default certificate profile, and new IdM installations now list the DNS information correctly.
|
Story Points: | --- |
| Clone Of: | 1475238 | Environment: | |
| Last Closed: | 2017-09-05 11:23:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1475238 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2017-08-01 06:50:43 UTC
master:
1a35a2e213b46f3c5bb91d0f1b7fa05e8f051d4a (HEAD) Add CommonNameToSANDefault to default cert profile
ipa-4-5:
33aa4c25a2c3d158e43978d8699c3776d0e06599 (HEAD) Add CommonNameToSANDefault to default cert profile
Abhijeet, To verify: install IPA afresh. Use `ipa cert-request` to request a certificate for a host or service, with the default profile (caIPAserviceCert). DO include the host name in the CN. DO NOT include a Subject Alt Name extension in the CSR. The issued certificate should include the host name in the CN, *and* in the Subject Alt Name extension as a DNS Name. Verified using following steps on IPA version :: ipa-server-4.5.0-21.el7_4.1.x86_64 # rpm -qa ipa-server ipa-server-4.5.0-21.el7_4.1.x86_64 # cat > host1.cnf <<-EOF > [ req ] > prompt = no > encrypt_key = no > > distinguished_name = dn > > [ dn ] > commonName = host1.testrelm.test > EOF # # openssl req -new -newkey rsa:2048 -keyout host1.key -sha256 -nodes -out host1.csr -config host1.cnf Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'host1.key' ----- # ls host1.cnf host1.csr host1.key # ipa host-add host1.testrelm.test --ip-address=192.168.10.1 -------------------------------- Added host "host1.testrelm.test" -------------------------------- Host name: host1.testrelm.test Principal name: host/host1.testrelm.test Principal alias: host/host1.testrelm.test Password: False Keytab: False Managed by: host1.testrelm.test # ipa cert-request CSR: host1.csr Principal: host/host1.testrelm.test Issuing CA: ipa Certificate: MIIEOTCCAyGgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODAyMTIxOTU1WhcNMTkwODAzMTIxOTU1WjA2MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRwwGgYDVQQDDBNob3N0MS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5qjtdEoN0GbLfSWFHKeDfCmh9jvvUkfH+9PxcsI25+tsi9o9pp4tSwLa5RCJCT4kyKIybnLFf9OrkcjHqKuv42IiYTwf33YnxiRHeOidEag/MOjlkaLFYLodosoiQ1fpfUKwSrw8hDL0DGT+Qdsd0JyX5GqLTgXHodvATLdZ94UduTp+i2nLIsiwwTOoTJJqf4Bt3smVqXLbPUkVA1tG8uUF5od/kt7XK7ggbQ1P4+Zzu8dLg4RBB3uDxXK2X6Y7/6Q7JsTo0chvdHk+yuZ6xQxfvutcXWmM8pz9YhVnJhdIt56azoDSnTgiDUTTetIUQtPoPgawaCHp1wGzyD17QIDAQABo4IBTjCCAUowHwYDVR0jBBgwFoAUWIbokdALY3qmQ3AsrT2SSSJR3rgwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFPwo9rUJuQErNRTmA6J08A0BOqg4MB4GA1UdEQQXMBWCE2hvc3QxLnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAHgWpyos8ShwSM36Gyr+HRMEw1+9qgBL7pXxoAqxrF6zg5djm9TDITTlRVH+o5efThJ1ves5Ek5sNQuF7EObhEz3E22GsA1JYbTW6e2j9FReKpp4Y3o1KHeyFH18AGfN6Y2k0VJsVZhDyhtrsTf6culZzGeLyaURQaKdZvTaQXspoG9/a9CJqdpxU9InXTMbh0FnKZiFiSxDcM55DmUnPAWHejVKOu/mU/ZGZN/6b617JmqzV1PfX+PjViG4KfXrg8HhLIyrOQrZXzt/as1naC55TzVd6pxDpU2RfN9tDCPAulCLwbgu0R+k18upyE7otKuN75SXyRc5qlaJtiGEE6s= Subject: CN=host1.testrelm.test,O=TESTRELM.TEST Subject DNS name: host1.testrelm.test Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed Aug 02 12:19:55 2017 UTC Not After: Sat Aug 03 12:19:55 2019 UTC Serial number: 14 Serial number (hex): 0xE # ipa cert-show 14 --out=sample.cert # openssl x509 -in sample.cert -text -noout | grep -A 1 Alternative X509v3 Subject Alternative Name: DNS:host1.testrelm.test Marking BZ as verified. Fixed upstream master: https://pagure.io/freeipa/c/79955189217fec328f2d561a4a1a23ddb29eac44 ipa-4-5: https://pagure.io/freeipa/c/87393daba6b414e3afe6e22e77c9b20e561e5302 IPA-server-version: ipa-server-4.5.0-21.el7_4.1.2.x86_64
Verified the bug on the basis of following observations:
1. Verified that the upgrade from RHEL 7.1.z to RHEL 7.4.1.2 is successful.
2. Also, verified the bug with following observations for fresh installs:
See below:
-------------
[root@dhcp207-177 ~]# cat host.cnf
[ req ]
prompt = no
encrypt_key = no
distinguished_name = dn
[ dn ]
commonName = dhcp207-177.testrelm.test
[root@dhcp207-177 ~]# mv host.cnf hos1t.cnf
[root@dhcp207-177 ~]# mv hos1t.cnf host1.cnf
[root@dhcp207-177 ~]# openssl req -new -newkey rsa:2048 -keyout host1.key -sha256 -nodes -out host1.csr -config host1.cnf
Generating a 2048 bit RSA private key
..........+++
.......................+++
writing new private key to 'host1.key'
-----
[root@dhcp207-177 ~]# cat host1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZZGhjcDIwNy0xNzcudGVzdHJlbG0udGVz
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnATcQ0hVKFzCW4ZIQ
rLLx9e/S+Yp7pnSIDA6OhTv4oU8avVRzFNvC/9DZQey/Agbtwbiht01jRBu25PyH
6tmPza4Wwi1/C/7OL6zhXHW7tNMjsM3hjUG6tE5wJhB1NaZ/v/gFO/nEk3B4v+Mp
kJdyxzMiC0KrSZBtnPo6rTTxwssyhHFQkWkfclu0mfilEpsnqVM3qYDfN7ZC8M5V
jTuow8+J2tWvssP5hmGOuCp8LTHEKTp+vx5ash79yV0bGnebOUlDT/dLQgJjMIKf
rHX556+Y5fCsdDOfMdFd1l2zUwCNFahBUdmEYxQHttfXv+XEWtJQ+TyYkUFIGNq/
CvUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBPikE+y7beGFRp3jQ+i3aaol9V
pQ4ADPBWqWh2enSRj+FovdM7XiC/TfI6D4Y19cjze8E+/KfBQghW1f9oY/VG+Xwq
CN0rtWIl686dZYA7deBPNYKfI+WvwipiLXtZaqHQN6mBWdns8gEfEHRZs+ejdiVk
7I3gx0XNEnxolQbHw77yxmfAAEt3ZrLHBjukQ0tmMmmU95t94jcC0Kz1uc24XDky
f9F0KfvbE9KdcMUuhGIV18YrWeADMI0XVd2l8e97u2B/fT43JhAabcZiSAApIqwv
Q/75yAJGoBDIvf0O1omk111Zs8181t5p0/GJeSYuAeUYwdF767M8C5c6VVy1
-----END CERTIFICATE REQUEST-----
[root@dhcp207-177 ~]# openssl req -in host1.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=dhcp207-177.testrelm.test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:27:01:37:10:d2:15:4a:17:30:96:e1:92:10:
ac:b2:f1:f5:ef:d2:f9:8a:7b:a6:74:88:0c:0e:8e:
85:3b:f8:a1:4f:1a:bd:54:73:14:db:c2:ff:d0:d9:
41:ec:bf:02:06:ed:c1:b8:a1:b7:4d:63:44:1b:b6:
e4:fc:87:ea:d9:8f:cd:ae:16:c2:2d:7f:0b:fe:ce:
2f:ac:e1:5c:75:bb:b4:d3:23:b0:cd:e1:8d:41:ba:
b4:4e:70:26:10:75:35:a6:7f:bf:f8:05:3b:f9:c4:
93:70:78:bf:e3:29:90:97:72:c7:33:22:0b:42:ab:
49:90:6d:9c:fa:3a:ad:34:f1:c2:cb:32:84:71:50:
91:69:1f:72:5b:b4:99:f8:a5:12:9b:27:a9:53:37:
a9:80:df:37:b6:42:f0:ce:55:8d:3b:a8:c3:cf:89:
da:d5:af:b2:c3:f9:86:61:8e:b8:2a:7c:2d:31:c4:
29:3a:7e:bf:1e:5a:b2:1e:fd:c9:5d:1b:1a:77:9b:
39:49:43:4f:f7:4b:42:02:63:30:82:9f:ac:75:f9:
e7:af:98:e5:f0:ac:74:33:9f:31:d1:5d:d6:5d:b3:
53:00:8d:15:a8:41:51:d9:84:63:14:07:b6:d7:d7:
bf:e5:c4:5a:d2:50:f9:3c:98:91:41:48:18:da:bf:
0a:f5
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
4f:8a:41:3e:cb:b6:de:18:54:69:de:34:3e:8b:76:9a:a2:5f:
55:a5:0e:00:0c:f0:56:a9:68:76:7a:74:91:8f:e1:68:bd:d3:
3b:5e:20:bf:4d:f2:3a:0f:86:35:f5:c8:f3:7b:c1:3e:fc:a7:
c1:42:08:56:d5:ff:68:63:f5:46:f9:7c:2a:08:dd:2b:b5:62:
25:eb:ce:9d:65:80:3b:75:e0:4f:35:82:9f:23:e5:af:c2:2a:
62:2d:7b:59:6a:a1:d0:37:a9:81:59:d9:ec:f2:01:1f:10:74:
59:b3:e7:a3:76:25:64:ec:8d:e0:c7:45:cd:12:7c:68:95:06:
c7:c3:be:f2:c6:67:c0:00:4b:77:66:b2:c7:06:3b:a4:43:4b:
66:32:69:94:f7:9b:7d:e2:37:02:d0:ac:f5:b9:cd:b8:5c:39:
32:7f:d1:74:29:fb:db:13:d2:9d:70:c5:2e:84:62:15:d7:c6:
2b:59:e0:03:30:8d:17:55:dd:a5:f1:ef:7b:bb:60:7f:7d:3e:
37:26:10:1a:6d:c6:62:48:00:29:22:ac:2f:43:fe:f9:c8:02:
46:a0:10:c8:bd:fd:0e:d6:89:a4:d7:5d:59:b3:cd:7c:d6:de:
69:d3:f1:89:79:26:2e:01:e5:18:c1:d1:7b:eb:b3:3c:0b:97:
3a:55:5c:b5
[root@dhcp207-177 ~]# echo Secret123|kinit admin
Password for admin:
[root@dhcp207-177 ~]# ipa host-find
--------------
1 host matched
--------------
Host name: dhcp207-177.testrelm.test
Principal name: host/dhcp207-177.testrelm.test
Principal alias: host/dhcp207-177.testrelm.test
SSH public key fingerprint: SHA256:qDGz/9kVFxJb2mfsZiDy58139blBpDnVZ2+y6Ilsm1k (ssh-rsa), SHA256:6JQV2LhmHewDBa1mCM2M7i2IkMv7KU+LnviumULmXAI (ecdsa-
sha2-nistp256), SHA256:hfuYtKLJnEGGkNuC1/wBQi3K+kwEKMIifnvT3fnEWdM (ssh-ed25519)
----------------------------
Number of entries returned 1
----------------------------
[root@dhcp207-177 ~]# ipa cert-request
CSR: host1.csr
Principal: host/dhcp207-177.testrelm.test
Issuing CA: ipa
Certificate: MIIERTCCAy2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODE4MTQ0MDI4WhcNMTkwODE5MTQ0MDI4WjA8MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSIwIAYDVQQDDBlkaGNwMjA3LTE3Ny50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCcBNxDSFUoXMJbhkhCssvH179L5inumdIgMDo6FO/ihTxq9VHMU28L/0NlB7L8CBu3BuKG3TWNEG7bk/Ifq2Y/NrhbCLX8L/s4vrOFcdbu00yOwzeGNQbq0TnAmEHU1pn+/+AU7+cSTcHi/4ymQl3LHMyILQqtJkG2c+jqtNPHCyzKEcVCRaR9yW7SZ+KUSmyepUzepgN83tkLwzlWNO6jDz4na1a+yw/mGYY64KnwtMcQpOn6/HlqyHv3JXRsad5s5SUNP90tCAmMwgp+sdfnnr5jl8Kx0M58x0V3WXbNTAI0VqEFR2YRjFAe219e/5cRa0lD5PJiRQUgY2r8K9QIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUL1uVNUeazZNekVCskDqifAIjnyQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDZt5E+3811S67+fKB0HtQGKt5xnMCQGA1UdEQQdMBuCGWRoY3AyMDctMTc3LnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAE5c2EnmsXMQGF2nMNO7BiwWnSVV9FuBhNnZWIjIHYEJKi5llz5DVRISrrTKQVrTCzGSyeTJcJGrQX4oU1uVT9YNMMmIGhJZfh3eTWZHk8wy5HdLUzMA99jXOkMylzcA5AUY77haEHsvnVm5KE5De7Q1jFgw1x/6gZdJwRkQvh4WbrxCySeOcdRNsYhXr4COJ9VyaaJJEfmo7SFxBFLiu3KbHeuHfjn/WcTCJRuUCKFwow1Z0au0p6ikJZ1F1hEEN6I3UrcYADWdnHqd1eU1N75l+JfcuMNslepHWkbPIbxvIUhMcGaE+StmYFFE+hwQ7a//cWbfd7rFDQyC0XzgUYQ=
Subject: CN=dhcp207-177.testrelm.test,O=TESTRELM.TEST
Subject DNS name: dhcp207-177.testrelm.test
Issuer: CN=Certificate Authority,O=TESTRELM.TEST
Not Before: Fri Aug 18 14:40:28 2017 UTC
Not After: Mon Aug 19 14:40:28 2019 UTC
Serial number: 11
Serial number (hex): 0xB
[root@dhcp207-177 ~]# ipa cert-show 11 --out=sample.cert
Issuing CA: ipa
Certificate: MIIERTCCAy2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODE4MTQ0MDI4WhcNMTkwODE5MTQ0MDI4WjA8MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSIwIAYDVQQDDBlkaGNwMjA3LTE3Ny50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCcBNxDSFUoXMJbhkhCssvH179L5inumdIgMDo6FO/ihTxq9VHMU28L/0NlB7L8CBu3BuKG3TWNEG7bk/Ifq2Y/NrhbCLX8L/s4vrOFcdbu00yOwzeGNQbq0TnAmEHU1pn+/+AU7+cSTcHi/4ymQl3LHMyILQqtJkG2c+jqtNPHCyzKEcVCRaR9yW7SZ+KUSmyepUzepgN83tkLwzlWNO6jDz4na1a+yw/mGYY64KnwtMcQpOn6/HlqyHv3JXRsad5s5SUNP90tCAmMwgp+sdfnnr5jl8Kx0M58x0V3WXbNTAI0VqEFR2YRjFAe219e/5cRa0lD5PJiRQUgY2r8K9QIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUL1uVNUeazZNekVCskDqifAIjnyQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDZt5E+3811S67+fKB0HtQGKt5xnMCQGA1UdEQQdMBuCGWRoY3AyMDctMTc3LnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAE5c2EnmsXMQGF2nMNO7BiwWnSVV9FuBhNnZWIjIHYEJKi5llz5DVRISrrTKQVrTCzGSyeTJcJGrQX4oU1uVT9YNMMmIGhJZfh3eTWZHk8wy5HdLUzMA99jXOkMylzcA5AUY77haEHsvnVm5KE5De7Q1jFgw1x/6gZdJwRkQvh4WbrxCySeOcdRNsYhXr4COJ9VyaaJJEfmo7SFxBFLiu3KbHeuHfjn/WcTCJRuUCKFwow1Z0au0p6ikJZ1F1hEEN6I3UrcYADWdnHqd1eU1N75l+JfcuMNslepHWkbPIbxvIUhMcGaE+StmYFFE+hwQ7a//cWbfd7rFDQyC0XzgUYQ=
Subject: CN=dhcp207-177.testrelm.test,O=TESTRELM.TEST
Subject DNS name: dhcp207-177.testrelm.test
Issuer: CN=Certificate Authority,O=TESTRELM.TEST
Not Before: Fri Aug 18 14:40:28 2017 UTC
Not After: Mon Aug 19 14:40:28 2019 UTC
Serial number: 11
Serial number (hex): 0xB
Revoked: False
Owner host: dhcp207-177.testrelm.test
[root@dhcp207-177 ~]# openssl x509 -in sample.cert -text -noout | grep -A 1 Alternative
X509v3 Subject Alternative Name:
DNS:dhcp207-177.testrelm.test
[root@dhcp207-177 ~]# rpm -q ipa-server
ipa-server-4.5.0-21.el7_4.1.2.x86_64
[root@dhcp207-177 ~]#
Thus,on the basis of above observations, marking status of bug to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2568 |