Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1252517

Summary: cert-request rejects request with correct krb5PrincipalName SAN
Product: Red Hat Enterprise Linux 7 Reporter: Martin Bašti <mbasti>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: drieden, ksiddiqu, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1391799 (view as bug list) Environment:
Last Closed: 2015-11-19 12:05:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1391799    

Description Martin Bašti 2015-08-11 15:34:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5191

cert-request checks krb5PrincipalName SAN OtherName for match
against the target principal to whom the certificate is being
issued, however, it fails when it should not.

For example, for principal alice in domain IPA.LOCAL, if the
principal is specified on the command line as `alice', the
command fails with message:

{{{
ftweedal% ipa cert-request alice-k5pn.req --principal alice
ipa: ERROR: Insufficient access: Principal 'alice' in subject alt name does not match requested principal
}}}
Comment 1 Martin Bašti 2015-08-11 15:36:09 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ba7e5df19433faddc1369a26824e7fc6efd7f983
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/58cf1cd65fc1e8d02a8b5f43fd5157786e232486
Comment 4 Scott Poore 2015-10-01 20:34:46 UTC 
Ok, first I reproduced the issue with 4.2.0-3:

[root@rhel7-5 yum.repos.d]# ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt
--------------------------------------------------------
Profile configuration stored in file 'caIPAuserCert.txt'
--------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@rhel7-5 yum.repos.d]# sed  -i '/^profileId=.*$/d' caIPAuserCert.txt

[root@rhel7-5 yum.repos.d]# sed -i 's/^desc=.*$/desc=test ca profile/' caIPAuserCert.txt

[root@rhel7-5 yum.repos.d]# echo "profileId=caIPAuserCert" >> caIPAuserCert.txt

[root@rhel7-5 yum.repos.d]# ipa certprofile-import caIPAuserCert --desc="test ca profile" --file=caIPAuserCert.txt --store=True
--------------------------------
Imported profile "caIPAuserCert"
--------------------------------
  Profile ID: caIPAuserCert
  Profile description: test ca profile
  Store issued certificates: TRUE

[root@rhel7-5 yum.repos.d]# ipa user-add alice --first=f --last=l
------------------
Added user "alice"
------------------
  User login: alice
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/alice
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: alice
  Email address: alice
  UID: 1229800001
  GID: 1229800001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@rhel7-5 yum.repos.d]# vi alice-k5pn.cnf

[root@rhel7-5 yum.repos.d]# cat alice-k5pn.cnf
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "alice"

[ exts ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:krb5principal

[ krb5principal ]
realm = EXPLICIT:0,GeneralString:EXAMPLE.COM
principalname = EXPLICIT:1,SEQUENCE:principalname

[ principalname ]
nametype = EXPLICIT:0,INT:0
namestring = EXPLICIT:1,SEQUENCE:namestring

[ namestring ]
part1 = GeneralString:alice

[root@rhel7-5 yum.repos.d]# openssl req -out alice-k5pn.csr -new -newkey rsa:2048 -nodes -keyout alice-k5pn.key -config alice-k5pn.cnf
Generating a 2048 bit RSA private key
.........................................................+++
......+++
writing new private key to 'alice-k5pn.key'
-----

#### DO NOT DO THIS...this is for testing only!

[root@rhel7-5 yum.repos.d]# ipa caacl-add all_access --hostcat=all --servicecat=all --usercat=all --profilecat=all
-------------------------
Added CA ACL "all_access"
-------------------------
  ACL name: all_access
  Enabled: TRUE
  Profile category: all
  User category: all
  Host category: all
  Service category: all

####

[root@rhel7-5 yum.repos.d]# ipa cert-request alice-k5pn.csr --profile=caIPAuserCert --principal=aliceipa: ERROR: Insufficient access: Principal 'alice' in subject alt name does not match requested principal
Comment 5 Scott Poore 2015-10-01 21:11:00 UTC 
Verified

Version ::

ipa-server-4.2.0-12.el7.x86_64

Results ::

This was run after yum update and ipactl restart:

[root@rhel7-5 yum.repos.d]# ipa cert-request alice-k5pn.csr --profile=caIPAuserCert --principal=alice
  Certificate: MIIEPzCCAyegAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MTAwMTIxMDYwMVoXDTE3MTAwMTIxMDYwMVowJjEUMBIGA1UECgwLRVhBTVBMRS5DT00xDjAMBgNVBAMMBWFsaWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoCmVjxE6XaAp7UBrjpSaf3ziyjeI34/R+XD66yG0IwYUq2pXRsSI+gyVYjy2dAqB/7AmMcBBu+hwnm2OLru+QpVs36IgE8g2gNzf9iWIEseb/ftfg9dy6YfOmbeGsgYjXq6BnwtJ/rB+BMO70rJUv2aKTSjdwdmG6O1KxCqw2kbKSeP5xIIVGCGchWCjg36jWRLo8RW6zDHxFeMEP2RObbc/mvDUHrZqhVjYn27jJLk5fcyfWDS4zg6scyzYnUs4uEbXmaiHA/YzodfKv8dOUr5VQLJb4PMotwCh7dmwxa1VJvT/G2GrtpoI2+x0SnzHjMduSn3j6zgRt6HYNz1DhQIDAQABo4IBZjCCAWIwHwYDVR0jBBgwFoAUgPhD4k4TmKMCWEJi7euwNZ9XKd4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLWNhLmV4YW1wbGUuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLmV4YW1wbGUuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUTJ6kDumJNKgxaJVQJrotm74sWrIwOgYDVR0RBDMwMaAvBgYrBgEFAgKgJTAjoA0bC0VYQU1QTEUuQ09NoRIwEKADAgEAoQkwBxsFYWxpY2UwDQYJKoZIhvcNAQELBQADggEBAA38EAHJ7ebq5UfBd1LuHNhiX5lRh6uiZ/QY36Ph3Ps/cUo3tSHvCmOnzZRIj0LUgs0TR3KkaCqSTjejKvdxGN4rC+IbTPrOSO98QVpnNLoopA2RDA5o2cYcmDoMW8ihQd+gi+bUQj6uy9ZWeKLTqL4s5HLfIe6tHG8fOZPRXrcNwmyblJ5JaAmM0d37oBpWQoOu07gVjrJf8ubKWkaQhdPn8ohOpqLCy9imQUVWZ7X0Vm0L2FtCb7C/jCjBysg5lDszM+jVbxRg6/X+AK3aREclaCCazWFktteYXbaI44t/gvHVTCmQBm6lg/5vVCeP3RMU69hHoA9pL2RA0wS8p1c=
  Subject: CN=alice,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Thu Oct 01 21:06:01 2015 UTC
  Not After: Sun Oct 01 21:06:01 2017 UTC
  Fingerprint (MD5): 37:9d:a5:e1:32:be:61:29:a9:38:1a:33:45:9c:26:b3
  Fingerprint (SHA1): 09:b7:a1:f2:ab:82:c2:6b:62:a5:c3:65:e1:6f:95:b4:b2:a0:23:da
  Serial number: 11
  Serial number (hex): 0xB
Comment 6 errata-xmlrpc 2015-11-19 12:05:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html