msauton reported:
web browsers may not be able to access the Dogtag web services pages when the internal SSL server certificate is missing its SAN extension (current default):
we may want to consider this for 10.5
Steps to Reproduce:
1. any default install 2.certutil -L -d /etc/pki/subca1/alias/ -n "Server-Cert cert-subca1" | less
Actual results:
by default, we always have 4 extensions: Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 85:22:b0:87:24:df:df:30:e6:11:46:b6:19:58:00:86: 82:e3:9b:f3 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ca1.example.com:8444/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate
Expected results:
need the SAN or CNtoSAN
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1562423 - Custom field type adjusted to None - Custom field version adjusted to None
Per 10.5.x/10.6 Triage: 10.5
cfu: I think this one is very much worthwhile for 10.5
Metadata Update from @mharmsen: - Issue assigned to jmagne
Metadata Update from @cfu: - Issue assigned to cfu (was: jmagne)
https://review.gerrithub.io/#/c/dogtagpki/pki/+/411649/
for the record, I just closed https://pagure.io/dogtagpki/issue/2979 as that seems to be a duplicate of this ticket.
commit f1167a6d0fea6f3876520b03c601237852237053 (ticket-2995-defaultSANinServerProfiles-r2-master) Author: Christina Fu cfu@redhat.com Date: Thu May 17 19:36:10 2018 -0700
Ticket #2995 SAN in internal SSL server certificate in pkispawn configuration step This patch adds CommonNameToSANDefault to all server profiles so that SAN will be placed in server certs by default. For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault will have to be used instead. fixes: https://pagure.io/dogtagpki/issue/2995 Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.8 (was: 10.5)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.8-1.fc27
It appears there has been a regression with the v10.6.0+ releases.
From what I can tell is that all of the changes from v10.5.8 are missing from v10.6.0+.
https://github.com/dogtagpki/pki/compare/v10.6.0...v10.5.8#diff-8be8e3186c45873a3e7822e8462ad55a
https://github.com/dogtagpki/pki/compare/master...v10.5.8#diff-8be8e3186c45873a3e7822e8462ad55a
On 07/02/2018 05:17 PM, Jared Szechy wrote:
szechyjs added a new comment to an issue you are following: `` It appears there has been a regression with the v10.6.0+ releases. From what I can tell is that all of the changes from v10.5.8 are missing from v10.6.0+. https://github.com/dogtagpki/pki/compare/v10.6.0...v10.5.8#diff-8be8e3186c45873a3e7822e8462ad55a https://github.com/dogtagpki/pki/compare/master...v10.5.8#diff-8be8e3186c45873a3e7822e8462ad55a `` To reply, visit the link below or just reply to this email https://pagure.io/dogtagpki/issue/2995
szechyjs added a new comment to an issue you are following: `` It appears there has been a regression with the v10.6.0+ releases.
https://github.com/dogtagpki/pki/compare/master...v10.5.8#diff-8be8e3186c45873a3e7822e8462ad55a ``
To reply, visit the link below or just reply to this email https://pagure.io/dogtagpki/issue/2995
Jared,
I believe that edewata can probably answer this better than me, but current development is taking place on multiple branches:
-- Matt
Matt,
What you described seems accurate. However, it doesn't make sense that I should have to downgrade to Fedora 27 to get recent bug-fixes/updates to dogtag. Changes made to 10.5.x branch should get merged into the master/dev branches as well, if not a regression will occur. I don't see any of the recent 10.5.x changes on master (including the fix for this SAN issue).
Hi,
Please note that the fix was checked into master branch (i.e. 10.6), then cherry-picked into 10.5 branch (or the other way around). It's not git merged, so the commit IDs are different.
The master branch was fixed in this commit: https://github.com/dogtagpki/pki/commit/f1167a6d0fea6f3876520b03c601237852237053 The v10.6.2 tag under the commit message indicates that it was fixed in PKI 10.6.2.
The 10.5 branch was fixed in this commit: https://github.com/dogtagpki/pki/commit/7eae0d840c1b7494db2cea67744366fe409eafea There is no tag information, but this ticket indicates that it was fixed in PKI 10.5.8.
PKI 10.6.x is available on Fedora 28+, and PKI 10.5.x is available on Fedora 27, so just grab the latest version available on your platform.
PKI 10.6.2 is actually only available on F29 right now: https://koji.fedoraproject.org/koji/packageinfo?packageID=11434 It's not ready for release on F28.
If you need the fix for this issue now, you probably could grab PKI 10.6.2 SRPM from F29 and rebuild it on F28. You'll need to rebuild the latest JSS from F29 as well: https://koji.fedoraproject.org/koji/packageinfo?packageID=4397
Or probably installing PKI and JSS F29 RPMs on F28 would work too.
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3113
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.