RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1586268 - [RFE] Red Hat Identity Manager IP SANs
Summary: [RFE] Red Hat Identity Manager IP SANs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: ipa-qe
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-05 20:19 UTC by Matt Bagnara
Modified: 2019-08-06 13:09 UTC (History)
12 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: Enhancement
Doc Text:
.IdM now supports IP addresses in the SAN extension of certificates In certain situations, administrators need to issue certificates with an IP address in the Subject Alternative Name (SAN) extension. This update adds this feature. As a result, administrators can set an IP address in the SAN extension if the address is managed in the IdM DNS service and associated with the subject host or service principal.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:09:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:37 UTC

Description Matt Bagnara 2018-06-05 20:19:55 UTC 
Description of problem:
When issuing a certificate request in IDM, Subject Alternative Names of type IPAddress are not allowed.

Version-Release number of selected component (if applicable):


How reproducible:
Create a CSR containing IP SANs and issue them in IDM.

Steps to Reproduce:
1.
2.
3.

Actual results:
Certificate gets issued.

Expected results:
"Insufficient access: Subject alt name type IP Address is forbidden"

Additional info:
Comment 2 Florence Blanc-Renaud 2018-06-06 14:18:51 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7451
Comment 5 Brian J. Atkisson 2018-12-14 18:16:42 UTC 
Can we have this considered for RHEL 7.7?
Comment 7 Petr Vobornik 2019-02-21 13:33:54 UTC 
Related blog post: https://frasertweedale.github.io/blog-redhat/posts/2019-02-18-freeipa-san-ip.html
Comment 12 Florence Blanc-Renaud 2019-03-04 18:36:51 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/dccb2e0eb8953e449dadc344aaa7cd0d173b9717
https://pagure.io/freeipa/c/8ec4868a64a193917ee2c424ba5fdbf17f14b4ad
https://pagure.io/freeipa/c/eb70e64c0b0cd867dc0d771a3a145e5549012f92
https://pagure.io/freeipa/c/9c750f0738ccc81004ced8cd1c816e48be539f8b
https://pagure.io/freeipa/c/e37c025dac7c89aa59de98d66a443d49f6009de5
https://pagure.io/freeipa/c/474a2e6952e15fe3bf1bbf16853ecdc157355b0b
https://pagure.io/freeipa/c/a65c12d042e480ac5ff1c327feb94221c4b76782
Comment 14 Fraser Tweedale 2019-03-07 01:08:33 UTC 
ACKs are appearing so here are the backport PRs:

ipa-4-7 https://github.com/freeipa/freeipa/pull/2882
ipa-4-6 https://github.com/freeipa/freeipa/pull/2883
Comment 15 Fraser Tweedale 2019-03-11 00:43:05 UTC 
ipa-4-6:

    5aa8b7a50fdf979ffb2894c1da2c06536c433fee Allow issuing certificates with IP addresses in subjectAltName
    dd93dd1aa7dfe2a75821bad264a1fbaae935415e cert-request: restrict IPAddress SAN to host/service principals
    42c69a05ee4bf431e5c9783b32a9ef49bd14037a cert-request: collect only qualified DNS names for IPAddress validation
    ed3ef2042e5e048dc9b7f630bc4393a69f1e3dea cert-request: generalise _san_dnsname_ips for arbitrary cname depth
    6e5c2d996f148267ef74daadea71d4f5c2701312 cert-request: report all unmatched SAN IP addresses
    0295908c9ac6c2bbb95c133f2dc38def78645284 Add tests for cert-request IP address SAN support
    1a78844dbdc147b8b85ef3821d055fa2b696ef0c cert-request: more specific errors in IP address validation
    94ecaaa4b6651d387a642c3ef07b21f47408347d cert-request: handle missing zone
    cbb972998b2ab7692764b49f578cc106920aa76e cert-request: fix py2 unicode/str issues
Comment 17 Nikhil Dehadrai 2019-05-09 06:12:43 UTC 
ipa-server-version : ipa-4.6.5-7.el7

All the Tests for the RFE passed successfully.

Thus marking the status of bug to Verified
Comment 23 errata-xmlrpc 2019-08-06 13:09:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Note You need to log in before you can comment on or make changes to this bug.