Hide Forgot
Description of problem: When issuing a certificate request in IDM, Subject Alternative Names of type IPAddress are not allowed. Version-Release number of selected component (if applicable): How reproducible: Create a CSR containing IP SANs and issue them in IDM. Steps to Reproduce: 1. 2. 3. Actual results: Certificate gets issued. Expected results: "Insufficient access: Subject alt name type IP Address is forbidden" Additional info:
Upstream ticket: https://pagure.io/freeipa/issue/7451
Can we have this considered for RHEL 7.7?
Related blog post: https://frasertweedale.github.io/blog-redhat/posts/2019-02-18-freeipa-san-ip.html
Fixed upstream master: https://pagure.io/freeipa/c/dccb2e0eb8953e449dadc344aaa7cd0d173b9717 https://pagure.io/freeipa/c/8ec4868a64a193917ee2c424ba5fdbf17f14b4ad https://pagure.io/freeipa/c/eb70e64c0b0cd867dc0d771a3a145e5549012f92 https://pagure.io/freeipa/c/9c750f0738ccc81004ced8cd1c816e48be539f8b https://pagure.io/freeipa/c/e37c025dac7c89aa59de98d66a443d49f6009de5 https://pagure.io/freeipa/c/474a2e6952e15fe3bf1bbf16853ecdc157355b0b https://pagure.io/freeipa/c/a65c12d042e480ac5ff1c327feb94221c4b76782
ACKs are appearing so here are the backport PRs: ipa-4-7 https://github.com/freeipa/freeipa/pull/2882 ipa-4-6 https://github.com/freeipa/freeipa/pull/2883
ipa-4-6: 5aa8b7a50fdf979ffb2894c1da2c06536c433fee Allow issuing certificates with IP addresses in subjectAltName dd93dd1aa7dfe2a75821bad264a1fbaae935415e cert-request: restrict IPAddress SAN to host/service principals 42c69a05ee4bf431e5c9783b32a9ef49bd14037a cert-request: collect only qualified DNS names for IPAddress validation ed3ef2042e5e048dc9b7f630bc4393a69f1e3dea cert-request: generalise _san_dnsname_ips for arbitrary cname depth 6e5c2d996f148267ef74daadea71d4f5c2701312 cert-request: report all unmatched SAN IP addresses 0295908c9ac6c2bbb95c133f2dc38def78645284 Add tests for cert-request IP address SAN support 1a78844dbdc147b8b85ef3821d055fa2b696ef0c cert-request: more specific errors in IP address validation 94ecaaa4b6651d387a642c3ef07b21f47408347d cert-request: handle missing zone cbb972998b2ab7692764b49f578cc106920aa76e cert-request: fix py2 unicode/str issues
ipa-server-version : ipa-4.6.5-7.el7 All the Tests for the RFE passed successfully. Thus marking the status of bug to Verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241