Bug 1903133

Summary: Server-Cert.crt created using dscreate has Subject:CN =localhost instead of hostname.
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 8.4CC: aadhikar, mreynolds, msauton, pasik, sgouvern, toneata
Target Milestone: rcKeywords: Regression, Triaged, ZStream
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8040020201216214810.866effaa Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1912481 (view as bug list) Environment:
Last Closed: 2021-05-18 15:45:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1912481    

Description Sudhir Menon 2020-12-01 12:09:34 UTC 
Description of problem: Server-Cert created upon using dscreate has Subject:CN =localhost instead of hostname.


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux release 8.4 Beta (Ootpa)
389-ds-base-1.4.3.16-3.module+el8.4.0+8869+55706461.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Install 389-ds-instance using dscreate
2.  Ensure installation is successful and check the cert created


Actual results:
[root@client slapd-instance4]# certutil -d . -L -n 'Server-Cert'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:b6:ac:b1:48
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=ssca.389ds.example.com,O=testing,L=389ds,ST=Queensland,C=
            AU"
        Validity:
            Not Before: Tue Dec 01 11:36:39 2020
            Not After : Thu Dec 01 11:36:39 2022
        Subject: "CN=localhost,givenName=8e3f42d6-b294-4c21-b62d-482ea6a04a2d
            ,O=testing,L=389ds,ST=Queensland,C=AU"

Expected results:
CN=localhost should be actually replaced with the actual hostname of the system.

Additional info:
Comment 2 mreynolds 2020-12-01 16:44:54 UTC 
I can reproducce this, and have a tentative fix, but I don't see why it works in 1.4.2 and not in 1.4.3.
Comment 3 mreynolds 2020-12-03 15:24:46 UTC 
Upstream ticket

https://github.com/389ds/389-ds-base/issues/4460
Comment 7 Akshay Adhikari 2020-12-18 11:05:14 UTC 
Build Tested: 389-ds-base-1.4.3.16-6.module+el8.4.0+9207+729bbaca.x86_64

[root@ci-vm-XX-XX-XX-XX slapd-TEST]# certutil -d . -L -n 'Server-Cert'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:b6:d7:5b:d2
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=ssca.389ds.example.com,O=testing,L=389ds,ST=Queensland,C=
            AU"
        Validity:
            Not Before: Fri Dec 18 10:49:57 2020
            Not After : Sun Dec 18 10:49:57 2022
        Subject: "CN=<hostname>,givenNam
            e=e445d3f3-0593-4607-bcc0-739a4ff41434,O=testing,L=389ds,ST=Queen
            sland,C=AU"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:

'Server-Cert' has Subject: "CN=<hostanme>" where <hostname> is the actual hostname of the system.

-> Marking as verified: tested.
Comment 10 sgouvern 2020-12-21 13:52:03 UTC 
As per comment 7, marking as VERIFIED with build 389-ds-base-1.4.3.16-6.module+el8.4.0+9207+729bbaca.x86_64
Comment 13 errata-xmlrpc 2021-05-18 15:45:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1835