Bug 1846349
| Summary: | cannot issue certs with multiple IP addresses corresponding to different hosts [rhel-7.9.z] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.8 | CC: | amore, arajendr, asharov, jreznik, ksiddiqu, myusuf, pcech, rcritten, tscherf | |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.6.8-5.el7_9.4 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1846352 (view as bug list) | Environment: | ||
| Last Closed: | 2021-03-16 13:56:37 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1846352 | |||
Pull request (master branch): https://github.com/freeipa/freeipa/pull/4810 master:
68ada5f (HEAD) fix iPAddress cert issuance for >1 host/service
ipa-4-8:
1285001 (HEAD) fix iPAddress cert issuance for >1 host/service
ipa-4-6:
233c49afb4a5ed4a50b247b222a477b926a17e38 (HEAD) fix iPAddress cert issuance for >1 host/service
Moving to POST.
Test added upstream in ipatests/test_xmlrpc/test_cert_request_ip_address.py::TestTwoHostsTwoIPAddresses RHEL-7.9 is already past the end of a Development Phase and development is being wrapped up. This bug is being moved to RHEL 7.9 z-stream. Verified using :
2021-02-10T07:18:46+0000 name: ipa-server
2021-02-10T07:18:46+0000 release: 5.el7_9.4
2021-02-10T07:18:46+0000 source: rpm
2021-02-10T07:18:46+0000 version: 4.6.8
Test log:
============================= test session starts ==============================
platform linux2 -- Python 2.7.5, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python2
cachedir: .pytest_cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-1160.17.1.el7.x86_64-x86_64-with-redhat-7.9-Maipo', 'Packages': {'py': '1.10.0', 'pytest': '3.10.1', 'pluggy': '0.13.1'}, 'Plugins': {u'html': u'1.22.1', u'multihost': u'1.1', u'sourceorder': u'0.5', u'metadata': u'1.11.0'}}
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-1.1, sourceorder-0.5
collecting ... collected 2350 items / 12 deselected
test_xmlrpc/test_add_remove_cert_cmd.py::TestCertManipCmdUser::test_01_add_cert_to_nonexistent_entity PASSED [ 0%]
test_xmlrpc/test_add_remove_cert_cmd.py::TestCertManipCmdUser::test_02_remove_cert_from_nonexistent_entity PASSED [ 0%]
test_xmlrpc/test_add_remove_cert_cmd.py::TestCertManipCmdUser::test_03_remove_cert_from_entity_with_no_certs PASSED [ 0%]
...
....
....
test_xmlrpc/test_cert_request_ip_address.py::TestIPAddressCNAME::test_one_level PASSED [ 15%]
test_xmlrpc/test_cert_request_ip_address.py::TestIPAddressCNAME::test_two_levels PASSED [ 15%]
test_xmlrpc/test_cert_request_ip_address.py::TestTwoHostsTwoIPAddresses::test_host_exists PASSED [ 15%]
test_xmlrpc/test_cert_request_ip_address.py::TestTwoHostsTwoIPAddresses::test_issuance PASSED [ 15%]
test_xmlrpc/test_certmap_plugin.py::TestCRUD::test_create[dont_fill=()] PASSED [ 15%]
test_xmlrpc/test_certmap_plugin.py::TestCRUD::test_create[dont_fill=(description)] PASSED [ 15%]
test_xmlrpc/test_certmap_plugin.py::TestCRUD::test_create[dont_fill=(ipacertmapmaprule)] PASSED [ 15%]
Test from TestTwoHostsTwoIPAddresses are passed.
Based on this marking bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: ipa security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0860 |
Description of problem: ——————————————————————————————- 1. Environment 1. RHel 7.8 2. ipa 4.6.6-11 2. Records are added in IPA DNS for both names. [root@ipaserver nssdb]# nslookup ipa1.sub.ipaexample.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: ipa1.sub.ipaexample.com Address: 10.10.100.2 [root@ipaserver nssdb]# nslookup ipa2.sub.ipaexample.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: ipa2.sub.ipaexample.com Address: 10.10.100.3 [root@ipaserver nssdb]# nslookup 10.10.100.3 3.100.10.10.in-addr.arpa name = ipa2.sub.ipaexample.com. [root@ipaserver nssdb]# nslookup 10.10.100.2 2.100.10.10.in-addr.arpa name = ipa1.sub.ipaexample.com. 2. ————————————————————————————————— 1] With multiple DNS and IP and CN=pa1.sub.ipaexample.com ( Throws error for (10.10.100.3)) —————— # certutil -d . -R -a -o ipa2.csr -s CN=ipa1.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.2,ip:10.10.100.3 # openssl req -text < ipa2.csr Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.2, IP Address:10.10.100.3 # ipa cert-request ipa2.csr --principal host/ipa1.sub.ipaexample.com --certificate-out ipa2.pem ipa: ERROR: invalid 'csr': IP address in subjectAltName (10.10.100.3) unreachable from DNS names ——————— 2] With multiple DNS and IP and CN=ipa2.sub.ipaexample.com ( Throws error for ((10.10.100.2)) ———————— # certutil -d . -R -a -o ipa3.csr -s CN=ipa2.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.2,ip:10.10.100.3 # openssl req -text < ipa3.csr Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.2, IP Address:10.10.100.3 # ipa cert-request ipa3.csr --principal host/ipa2.sub.ipaexample.com --certificate-out ipa3.pem ipa: ERROR: invalid 'csr': IP address in subjectAltName (10.10.100.2) unreachable from DNS names ———————— 3] With Single IP address ———————— #certutil -d . -R -a -o ipa.csr -s CN=ipa1.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.2 #openssl req -text < ipa.csr Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.2 #ipa cert-request ipa.csr --principal host/ipa1.sub.ipaexample.com --certificate-out ipa.pem Issuing CA: ipa Certificate: MIIEdDCCA1ygAwIBAgIBDzANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJTVUIuSVBBRVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDA2MDgxMzAwMDRaFw0yMjA2MDkxMzAwMDRaMD8xGzAZBgNVBAoMElNVQi5JUEFFWEFNUExFLkNPTTEgMB4GA1UEAwwXaXBhMS5zdWIuaXBhZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmOF6IjZS2HUMRSku/Q5aYIkqmiqGLL51J2rC9ck007nXO0KP6R5/Ims30pqfq6IGzQiLwI8p95Z5wex/8NFkvtbxPG66uieruhdeauWQunhsm07VxFuLnCYl7vpPoSe/f1sDkknLuXhWR5vwKEb1Al7VZXtPEbUkfZ0MO/YaFX+gUrCqeP/gHNNcSW8sN3w0feUzXui897ybTadzVGAgntD9DZbdp7f6qbB1FGAAAlmu4mlrz8a9SNekXlLLNCDa6ZzqDRn3mUv09qtnGZ6HXJW7aDx/U+cX8rVMg3CG9YW69eiANKg9jJfY73/KiSZZGoaS3wmQ3arz3ZxuiKaoPAgMBAAGjggF7MIIBdzAfBgNVHSMEGDAWgBRSxi7Y9FVHp4c2Wq96ZKRojRapzDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9pcGEtY2Euc3ViLmlwYWV4YW1wbGUuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB9BgNVHR8EdjB0MHKgOqA4hjZodHRwOi8vaXBhLWNhLnN1Yi5pcGFleGFtcGxlLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCyoKremA2dQ4GtKo29WynzaGYSwMEEGA1UdEQQ6MDiCF2lwYTEuc3ViLmlwYWV4YW1wbGUuY29tghdpcGEyLnN1Yi5pcGFleGFtcGxlLmNvbYcECgpkAjANBgkqhkiG9w0BAQsFAAOCAQEAUaR2fLw41Ljx/7XSQarNz4JN8JXuSZ5I+JAAcKgbcz8IGuWugaQw+Okp7ETvbc2WwDgLOhJ1JY22g6gx+7Y/aOJV/Md4HBbennZvWM2sCg7tOyim/7WxkG/435dhSRVEMwuGHAAEgmUpwnKquxW/gnwOZr5+e78JWsJUwA3R3x58GTxSdGmpTN8I+k9rEybjOC3mx53Ry3P2AhVRFa3BE5/KPZRV34kJ5D0TCGYuFYC4l44F2+xGoCwh1A8KQGtpqTDe8M8H3Qn+4FYpUMMJWmr/fZLxGPSYMzqk6llnNsgabrzmP9VQN81lXg44wbJwTAHv9LXbKocsKRrro+Y7mQ== Subject: CN=ipa1.sub.ipaexample.com,O=SUB.IPAEXAMPLE.COM Subject DNS name: ipa1.sub.ipaexample.com, ipa2.sub.ipaexample.com Issuer: CN=Certificate Authority,O=SUB.IPAEXAMPLE.COM Not Before: Mon Jun 08 13:00:04 2020 UTC Not After: Thu Jun 09 13:00:04 2022 UTC Serial number: 15 Serial number (hex): 0xF ——————————— 4] When IP is not related to CN ———————— # certutil -d . -R -a -o ipa4.csr -s CN=ipa1.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.3 # openssl req -text < ipa4.csr Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.3 # ipa cert-request ipa4.csr --principal host/ipa1.sub.ipaexample.com --certificate-out ipa4.pem ipa: ERROR: invalid 'csr': IP address in subjectAltName (10.10.100.3) unreachable from DNS names Version-Release number of selected component (if applicable): How reproducible: always