Bug 1477046
Summary: | Use CommonNameToSANDefault in default profile (new installs only) [rhel-7.4.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.3 | CC: | akasurde, ftweedal, ipa-maint, ksiddiqu, ndehadra, pvoborni, pvomacka, rcritten, toneata, tscherf |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-21.el7.1.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
Previously, server certificates issued by IdM listed DNS naming information only in the Common Name (CN) field. However, recent web browsers have started to ignore CN in favor of the Subject Alt Name (SAN) extension. Consequently, these browsers did not recognize the certificates as valid. With this update, the CommonNameToSANDefault profile component has been added to the default certificate profile, and new IdM installations now list the DNS information correctly.
|
Story Points: | --- |
Clone Of: | 1475238 | Environment: | |
Last Closed: | 2017-09-05 11:23:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1475238 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2017-08-01 06:50:43 UTC
master: 1a35a2e213b46f3c5bb91d0f1b7fa05e8f051d4a (HEAD) Add CommonNameToSANDefault to default cert profile ipa-4-5: 33aa4c25a2c3d158e43978d8699c3776d0e06599 (HEAD) Add CommonNameToSANDefault to default cert profile Abhijeet, To verify: install IPA afresh. Use `ipa cert-request` to request a certificate for a host or service, with the default profile (caIPAserviceCert). DO include the host name in the CN. DO NOT include a Subject Alt Name extension in the CSR. The issued certificate should include the host name in the CN, *and* in the Subject Alt Name extension as a DNS Name. Verified using following steps on IPA version :: ipa-server-4.5.0-21.el7_4.1.x86_64 # rpm -qa ipa-server ipa-server-4.5.0-21.el7_4.1.x86_64 # cat > host1.cnf <<-EOF > [ req ] > prompt = no > encrypt_key = no > > distinguished_name = dn > > [ dn ] > commonName = host1.testrelm.test > EOF # # openssl req -new -newkey rsa:2048 -keyout host1.key -sha256 -nodes -out host1.csr -config host1.cnf Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'host1.key' ----- # ls host1.cnf host1.csr host1.key # ipa host-add host1.testrelm.test --ip-address=192.168.10.1 -------------------------------- Added host "host1.testrelm.test" -------------------------------- Host name: host1.testrelm.test Principal name: host/host1.testrelm.test Principal alias: host/host1.testrelm.test Password: False Keytab: False Managed by: host1.testrelm.test # ipa cert-request CSR: host1.csr Principal: host/host1.testrelm.test Issuing CA: ipa Certificate: MIIEOTCCAyGgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODAyMTIxOTU1WhcNMTkwODAzMTIxOTU1WjA2MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRwwGgYDVQQDDBNob3N0MS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5qjtdEoN0GbLfSWFHKeDfCmh9jvvUkfH+9PxcsI25+tsi9o9pp4tSwLa5RCJCT4kyKIybnLFf9OrkcjHqKuv42IiYTwf33YnxiRHeOidEag/MOjlkaLFYLodosoiQ1fpfUKwSrw8hDL0DGT+Qdsd0JyX5GqLTgXHodvATLdZ94UduTp+i2nLIsiwwTOoTJJqf4Bt3smVqXLbPUkVA1tG8uUF5od/kt7XK7ggbQ1P4+Zzu8dLg4RBB3uDxXK2X6Y7/6Q7JsTo0chvdHk+yuZ6xQxfvutcXWmM8pz9YhVnJhdIt56azoDSnTgiDUTTetIUQtPoPgawaCHp1wGzyD17QIDAQABo4IBTjCCAUowHwYDVR0jBBgwFoAUWIbokdALY3qmQ3AsrT2SSSJR3rgwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFPwo9rUJuQErNRTmA6J08A0BOqg4MB4GA1UdEQQXMBWCE2hvc3QxLnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAHgWpyos8ShwSM36Gyr+HRMEw1+9qgBL7pXxoAqxrF6zg5djm9TDITTlRVH+o5efThJ1ves5Ek5sNQuF7EObhEz3E22GsA1JYbTW6e2j9FReKpp4Y3o1KHeyFH18AGfN6Y2k0VJsVZhDyhtrsTf6culZzGeLyaURQaKdZvTaQXspoG9/a9CJqdpxU9InXTMbh0FnKZiFiSxDcM55DmUnPAWHejVKOu/mU/ZGZN/6b617JmqzV1PfX+PjViG4KfXrg8HhLIyrOQrZXzt/as1naC55TzVd6pxDpU2RfN9tDCPAulCLwbgu0R+k18upyE7otKuN75SXyRc5qlaJtiGEE6s= Subject: CN=host1.testrelm.test,O=TESTRELM.TEST Subject DNS name: host1.testrelm.test Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed Aug 02 12:19:55 2017 UTC Not After: Sat Aug 03 12:19:55 2019 UTC Serial number: 14 Serial number (hex): 0xE # ipa cert-show 14 --out=sample.cert # openssl x509 -in sample.cert -text -noout | grep -A 1 Alternative X509v3 Subject Alternative Name: DNS:host1.testrelm.test Marking BZ as verified. Fixed upstream master: https://pagure.io/freeipa/c/79955189217fec328f2d561a4a1a23ddb29eac44 ipa-4-5: https://pagure.io/freeipa/c/87393daba6b414e3afe6e22e77c9b20e561e5302 IPA-server-version: ipa-server-4.5.0-21.el7_4.1.2.x86_64 Verified the bug on the basis of following observations: 1. Verified that the upgrade from RHEL 7.1.z to RHEL 7.4.1.2 is successful. 2. Also, verified the bug with following observations for fresh installs: See below: ------------- [root@dhcp207-177 ~]# cat host.cnf [ req ] prompt = no encrypt_key = no distinguished_name = dn [ dn ] commonName = dhcp207-177.testrelm.test [root@dhcp207-177 ~]# mv host.cnf hos1t.cnf [root@dhcp207-177 ~]# mv hos1t.cnf host1.cnf [root@dhcp207-177 ~]# openssl req -new -newkey rsa:2048 -keyout host1.key -sha256 -nodes -out host1.csr -config host1.cnf Generating a 2048 bit RSA private key ..........+++ .......................+++ writing new private key to 'host1.key' ----- [root@dhcp207-177 ~]# cat host1.csr -----BEGIN CERTIFICATE REQUEST----- MIICaTCCAVECAQAwJDEiMCAGA1UEAwwZZGhjcDIwNy0xNzcudGVzdHJlbG0udGVz dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnATcQ0hVKFzCW4ZIQ rLLx9e/S+Yp7pnSIDA6OhTv4oU8avVRzFNvC/9DZQey/Agbtwbiht01jRBu25PyH 6tmPza4Wwi1/C/7OL6zhXHW7tNMjsM3hjUG6tE5wJhB1NaZ/v/gFO/nEk3B4v+Mp kJdyxzMiC0KrSZBtnPo6rTTxwssyhHFQkWkfclu0mfilEpsnqVM3qYDfN7ZC8M5V jTuow8+J2tWvssP5hmGOuCp8LTHEKTp+vx5ash79yV0bGnebOUlDT/dLQgJjMIKf rHX556+Y5fCsdDOfMdFd1l2zUwCNFahBUdmEYxQHttfXv+XEWtJQ+TyYkUFIGNq/ CvUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBPikE+y7beGFRp3jQ+i3aaol9V pQ4ADPBWqWh2enSRj+FovdM7XiC/TfI6D4Y19cjze8E+/KfBQghW1f9oY/VG+Xwq CN0rtWIl686dZYA7deBPNYKfI+WvwipiLXtZaqHQN6mBWdns8gEfEHRZs+ejdiVk 7I3gx0XNEnxolQbHw77yxmfAAEt3ZrLHBjukQ0tmMmmU95t94jcC0Kz1uc24XDky f9F0KfvbE9KdcMUuhGIV18YrWeADMI0XVd2l8e97u2B/fT43JhAabcZiSAApIqwv Q/75yAJGoBDIvf0O1omk111Zs8181t5p0/GJeSYuAeUYwdF767M8C5c6VVy1 -----END CERTIFICATE REQUEST----- [root@dhcp207-177 ~]# openssl req -in host1.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: CN=dhcp207-177.testrelm.test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b8:27:01:37:10:d2:15:4a:17:30:96:e1:92:10: ac:b2:f1:f5:ef:d2:f9:8a:7b:a6:74:88:0c:0e:8e: 85:3b:f8:a1:4f:1a:bd:54:73:14:db:c2:ff:d0:d9: 41:ec:bf:02:06:ed:c1:b8:a1:b7:4d:63:44:1b:b6: e4:fc:87:ea:d9:8f:cd:ae:16:c2:2d:7f:0b:fe:ce: 2f:ac:e1:5c:75:bb:b4:d3:23:b0:cd:e1:8d:41:ba: b4:4e:70:26:10:75:35:a6:7f:bf:f8:05:3b:f9:c4: 93:70:78:bf:e3:29:90:97:72:c7:33:22:0b:42:ab: 49:90:6d:9c:fa:3a:ad:34:f1:c2:cb:32:84:71:50: 91:69:1f:72:5b:b4:99:f8:a5:12:9b:27:a9:53:37: a9:80:df:37:b6:42:f0:ce:55:8d:3b:a8:c3:cf:89: da:d5:af:b2:c3:f9:86:61:8e:b8:2a:7c:2d:31:c4: 29:3a:7e:bf:1e:5a:b2:1e:fd:c9:5d:1b:1a:77:9b: 39:49:43:4f:f7:4b:42:02:63:30:82:9f:ac:75:f9: e7:af:98:e5:f0:ac:74:33:9f:31:d1:5d:d6:5d:b3: 53:00:8d:15:a8:41:51:d9:84:63:14:07:b6:d7:d7: bf:e5:c4:5a:d2:50:f9:3c:98:91:41:48:18:da:bf: 0a:f5 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 4f:8a:41:3e:cb:b6:de:18:54:69:de:34:3e:8b:76:9a:a2:5f: 55:a5:0e:00:0c:f0:56:a9:68:76:7a:74:91:8f:e1:68:bd:d3: 3b:5e:20:bf:4d:f2:3a:0f:86:35:f5:c8:f3:7b:c1:3e:fc:a7: c1:42:08:56:d5:ff:68:63:f5:46:f9:7c:2a:08:dd:2b:b5:62: 25:eb:ce:9d:65:80:3b:75:e0:4f:35:82:9f:23:e5:af:c2:2a: 62:2d:7b:59:6a:a1:d0:37:a9:81:59:d9:ec:f2:01:1f:10:74: 59:b3:e7:a3:76:25:64:ec:8d:e0:c7:45:cd:12:7c:68:95:06: c7:c3:be:f2:c6:67:c0:00:4b:77:66:b2:c7:06:3b:a4:43:4b: 66:32:69:94:f7:9b:7d:e2:37:02:d0:ac:f5:b9:cd:b8:5c:39: 32:7f:d1:74:29:fb:db:13:d2:9d:70:c5:2e:84:62:15:d7:c6: 2b:59:e0:03:30:8d:17:55:dd:a5:f1:ef:7b:bb:60:7f:7d:3e: 37:26:10:1a:6d:c6:62:48:00:29:22:ac:2f:43:fe:f9:c8:02: 46:a0:10:c8:bd:fd:0e:d6:89:a4:d7:5d:59:b3:cd:7c:d6:de: 69:d3:f1:89:79:26:2e:01:e5:18:c1:d1:7b:eb:b3:3c:0b:97: 3a:55:5c:b5 [root@dhcp207-177 ~]# echo Secret123|kinit admin Password for admin: [root@dhcp207-177 ~]# ipa host-find -------------- 1 host matched -------------- Host name: dhcp207-177.testrelm.test Principal name: host/dhcp207-177.testrelm.test Principal alias: host/dhcp207-177.testrelm.test SSH public key fingerprint: SHA256:qDGz/9kVFxJb2mfsZiDy58139blBpDnVZ2+y6Ilsm1k (ssh-rsa), SHA256:6JQV2LhmHewDBa1mCM2M7i2IkMv7KU+LnviumULmXAI (ecdsa- sha2-nistp256), SHA256:hfuYtKLJnEGGkNuC1/wBQi3K+kwEKMIifnvT3fnEWdM (ssh-ed25519) ---------------------------- Number of entries returned 1 ---------------------------- [root@dhcp207-177 ~]# ipa cert-request CSR: host1.csr Principal: host/dhcp207-177.testrelm.test Issuing CA: ipa Certificate: MIIERTCCAy2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODE4MTQ0MDI4WhcNMTkwODE5MTQ0MDI4WjA8MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSIwIAYDVQQDDBlkaGNwMjA3LTE3Ny50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCcBNxDSFUoXMJbhkhCssvH179L5inumdIgMDo6FO/ihTxq9VHMU28L/0NlB7L8CBu3BuKG3TWNEG7bk/Ifq2Y/NrhbCLX8L/s4vrOFcdbu00yOwzeGNQbq0TnAmEHU1pn+/+AU7+cSTcHi/4ymQl3LHMyILQqtJkG2c+jqtNPHCyzKEcVCRaR9yW7SZ+KUSmyepUzepgN83tkLwzlWNO6jDz4na1a+yw/mGYY64KnwtMcQpOn6/HlqyHv3JXRsad5s5SUNP90tCAmMwgp+sdfnnr5jl8Kx0M58x0V3WXbNTAI0VqEFR2YRjFAe219e/5cRa0lD5PJiRQUgY2r8K9QIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUL1uVNUeazZNekVCskDqifAIjnyQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDZt5E+3811S67+fKB0HtQGKt5xnMCQGA1UdEQQdMBuCGWRoY3AyMDctMTc3LnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAE5c2EnmsXMQGF2nMNO7BiwWnSVV9FuBhNnZWIjIHYEJKi5llz5DVRISrrTKQVrTCzGSyeTJcJGrQX4oU1uVT9YNMMmIGhJZfh3eTWZHk8wy5HdLUzMA99jXOkMylzcA5AUY77haEHsvnVm5KE5De7Q1jFgw1x/6gZdJwRkQvh4WbrxCySeOcdRNsYhXr4COJ9VyaaJJEfmo7SFxBFLiu3KbHeuHfjn/WcTCJRuUCKFwow1Z0au0p6ikJZ1F1hEEN6I3UrcYADWdnHqd1eU1N75l+JfcuMNslepHWkbPIbxvIUhMcGaE+StmYFFE+hwQ7a//cWbfd7rFDQyC0XzgUYQ= Subject: CN=dhcp207-177.testrelm.test,O=TESTRELM.TEST Subject DNS name: dhcp207-177.testrelm.test Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Fri Aug 18 14:40:28 2017 UTC Not After: Mon Aug 19 14:40:28 2019 UTC Serial number: 11 Serial number (hex): 0xB [root@dhcp207-177 ~]# ipa cert-show 11 --out=sample.cert Issuing CA: ipa Certificate: MIIERTCCAy2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwODE4MTQ0MDI4WhcNMTkwODE5MTQ0MDI4WjA8MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSIwIAYDVQQDDBlkaGNwMjA3LTE3Ny50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCcBNxDSFUoXMJbhkhCssvH179L5inumdIgMDo6FO/ihTxq9VHMU28L/0NlB7L8CBu3BuKG3TWNEG7bk/Ifq2Y/NrhbCLX8L/s4vrOFcdbu00yOwzeGNQbq0TnAmEHU1pn+/+AU7+cSTcHi/4ymQl3LHMyILQqtJkG2c+jqtNPHCyzKEcVCRaR9yW7SZ+KUSmyepUzepgN83tkLwzlWNO6jDz4na1a+yw/mGYY64KnwtMcQpOn6/HlqyHv3JXRsad5s5SUNP90tCAmMwgp+sdfnnr5jl8Kx0M58x0V3WXbNTAI0VqEFR2YRjFAe219e/5cRa0lD5PJiRQUgY2r8K9QIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUL1uVNUeazZNekVCskDqifAIjnyQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDZt5E+3811S67+fKB0HtQGKt5xnMCQGA1UdEQQdMBuCGWRoY3AyMDctMTc3LnRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAE5c2EnmsXMQGF2nMNO7BiwWnSVV9FuBhNnZWIjIHYEJKi5llz5DVRISrrTKQVrTCzGSyeTJcJGrQX4oU1uVT9YNMMmIGhJZfh3eTWZHk8wy5HdLUzMA99jXOkMylzcA5AUY77haEHsvnVm5KE5De7Q1jFgw1x/6gZdJwRkQvh4WbrxCySeOcdRNsYhXr4COJ9VyaaJJEfmo7SFxBFLiu3KbHeuHfjn/WcTCJRuUCKFwow1Z0au0p6ikJZ1F1hEEN6I3UrcYADWdnHqd1eU1N75l+JfcuMNslepHWkbPIbxvIUhMcGaE+StmYFFE+hwQ7a//cWbfd7rFDQyC0XzgUYQ= Subject: CN=dhcp207-177.testrelm.test,O=TESTRELM.TEST Subject DNS name: dhcp207-177.testrelm.test Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Fri Aug 18 14:40:28 2017 UTC Not After: Mon Aug 19 14:40:28 2019 UTC Serial number: 11 Serial number (hex): 0xB Revoked: False Owner host: dhcp207-177.testrelm.test [root@dhcp207-177 ~]# openssl x509 -in sample.cert -text -noout | grep -A 1 Alternative X509v3 Subject Alternative Name: DNS:dhcp207-177.testrelm.test [root@dhcp207-177 ~]# rpm -q ipa-server ipa-server-4.5.0-21.el7_4.1.2.x86_64 [root@dhcp207-177 ~]# Thus,on the basis of above observations, marking status of bug to "VERIFIED". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2568 |