1445927 – IPA certificate not accepted by recent Chrome

Bug 1445927 - IPA certificate not accepted by recent Chrome

Summary: IPA certificate not accepted by recent Chrome

Keywords:
Status:	CLOSED DUPLICATE of bug 1445345
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-26 19:54 UTC by Tomasz Torcz
Modified:	2017-05-12 16:19 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-05-12 16:19:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomasz Torcz 2017-04-26 19:54:05 UTC

Description of problem:
Recently, Chromium started to complain about web certificate on IPA server. Error NET::ERR_CERT_COMMON_NAME_INVALID talks about [missing_subjectAltName].
It was working correctly since recently. IPA CA certificate is added to system trust database.

Similar issue was reported to the mailing list recently:
https://www.redhat.com/archives/freeipa-users/2017-April/msg00195.html

Version-Release number of selected component (if applicable):
freeipa-server-4.4.4-1.fc26.x86_64
google-chrome-stable-58.0.3029.81-1.x86_64

Comment 1 Mike Kelly 2017-05-04 18:47:39 UTC

A workaround exists via Chrome policies:

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

For example, on macOS:

defaults write com.google.Chrome EnableCommonNameFallbackForLocalAnchors -boolean TRUE

Comment 2 Petr Vobornik 2017-05-12 16:19:53 UTC


*** This bug has been marked as a duplicate of bug 1445345 ***

Note You need to log in before you can comment on or make changes to this bug.