Red Hat Bugzilla – Bug 1400529
cert-request is not aware of Kerberos principal aliases
Last modified: 2017-08-01 05:44:33 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/6295 It is currently not possible to use `ipa cert-request` to issue certificates for hosts/service using their principal aliases (see the minimal reproducer below). {{{ [root@master1 ~]# ipa service-add test/`hostname` ---------------------------------------------- Added service "test/master1.ipa.test@IPA.TEST" ---------------------------------------------- Principal name: test/master1.ipa.test@IPA.TEST Principal alias: test/master1.ipa.test@IPA.TEST Managed by: master1.ipa.test [root@master1 ~]# ipa service-add-principal test/`hostname` test2/`hostname` --------------------------------------------------------------------------- Added new aliases to the service principal "test/master1.ipa.test@IPA.TEST" --------------------------------------------------------------------------- Principal name: test/master1.ipa.test@IPA.TEST Principal alias: test2/master1.ipa.test@IPA.TEST, test/master1.ipa.test@IPA.TEST [root@master1 ~]# kinit -kt /etc/krb5.keytab host/`hostname` [root@master1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_50GX1N0 Default principal: host/master1.ipa.test@IPA.TEST Valid starting Expires Service principal 09/05/2016 10:44:40 09/06/2016 10:44:40 krbtgt/IPA.TEST@IPA.TEST [root@master1 ~]# openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -subj '/CN=master1.ipa.test/subjectAltName=DNS.1=master1.ipa.test' -out test.csr Generating a 2048 bit RSA private key ................................................+++ ......................+++ writing new private key to 'test2service.key' ----- [root@master1 ~]# ipa cert-request test.csr --principal test2/`hostname` ipa: ERROR: The principal for this request doesn't exist. [root@master1 ~]# ipa cert-request test.csr --principal test2/`hostname`@IPA.TEST ipa: ERROR: The principal for this request doesn't exist. [root@master1 ~]# ipa cert-request test.csr --principal test/`hostname`@IPA.TEST Issuing CA: ipa Certificate: MIIEA... Subject: CN=master1.ipa.test,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST Serial number: 11 Serial number (hex): 0xB }}} The code should be updated to perform LDAP search for recipients by supplied 'krbprincipalname' value and then perform SAN DNS name checks and other operations against the list Principal objects returned by the search.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dfbdb5323863e6c3d681c1b33b1eb9d2efefd6c7
Marking BZ as failedQA as fix is not ported in RHEL IPA build.
When pushing the patch I forgot to include the commit in ipa-4-5 branch to this BZ, that's why it was not picked up during build process. Pavel can you please include it in the next build of ipa? Sorry for the inconveniece. Fixed upstream: ipa-4-5: https://pagure.io/freeipa/c/dfbdb5323863e6c3d681c1b33b1eb9d2efefd6c7
Disregard my previous comment, the fix was pushed to master before ipa-4-5 was even forked so it should be there. In that case this seems to be either a legitimate bug or an issue in tests (given that the fix was provided upstream tests that are green). Fraser, can you investigate this with Abhijeet?
As Martin wrote above, the fix is already in IPA build. So the issue will be caused by something else.
Abhijeet, The --principal option to `ipa cert-request` must be the canonical princpial name. What this change does is allows information in the CSR to match the principal aliases. There is a separate ticket[1] (not yet implemented) to allow principal aliases to be used as the --principal argument. [1] https://pagure.io/freeipa/issue/6531 So to test this, use the canonical princpial name as the --principal argument, but include principal aliases in the CSR. e.g., try the following combinations, for appropriate instantiations of DOMAIN and OTHERDOMAIN. 1) Canonical principal name "test/DOMAIN", CN = "OTHERDOMAIN" 2) Canonical principal name "test/DOMAIN", CN = "DOMAIN", SAN dnsName = "OTHERDOMAIN" Note that when comparing SERVICE principal names, because the CN and SAN dnsName are merely domain names, we prepend THE SAME SERVICE PREFIX as appears in the canonical princpial. Therefore if the canonical principal name is test/DOMAIN, and the CN is OTHERDOMAIN, we look for "test/OTHERDOMAIN" among the principal alises. Another IMPORTANT note: your steps for creating a CSR with the subjectAltName extension are wrong -- you cannot put it in the Subject Name (-subj option) as you have done. Instead, create a config file like the below and supply the '-config FILENAME' option to `openssl req`. --- [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "testhost1.ipa.local" [ exts ] subjectAltName=DNS:testhost2.ipa.local --- Hope that helps!
Verified using IPA server version:: ipa-server-4.5.0-16.el7.x86_64 Marking BZ as verified. See attachment for console.log.
Created attachment 1286095 [details] console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304