From 4b24129f9e1ceb322c5477f9a0869f7a6b521f09 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jun 07 2020 07:38:27 +0000 Subject: cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers For detailed discussion on the purpose of this change and the design decisions made, see `git log -1 $THIS_COMMIT~1`. ACME support requires TLS and we want ACME clients to access the service via the ipa-ca.$DOMAIN DNS name. So we need to add the ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To facilitiate this, add a special case to the cert-request command processing. The rule is: - if the dnsName being validated is "ipa-ca.$DOMAIN" - and the subject principal is an "HTTP/..." service - and the subject principal's hostname is an IPA server Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed. Otherwise continue with the usual dnsName validation. Part of: https://pagure.io/freeipa/issue/8186 Reviewed-By: Rob Crittenden Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 6e67bb5..b5008ae 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -36,7 +36,7 @@ from ipalib import api from ipalib import errors, messages from ipalib import x509 from ipalib import ngettext -from ipalib.constants import IPA_CA_CN +from ipalib.constants import IPA_CA_CN, IPA_CA_RECORD from ipalib.crud import Create, PKQuery, Retrieve, Search from ipalib.frontend import Method, Object from ipalib.parameters import ( @@ -799,6 +799,21 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): name = gn.value + # Special case: if the DNS name is ipa-ca.$DOMAIN and if the + # subject principal is the HTTP service for an IPA server + # then allow the name. + if name == f'{IPA_CA_RECORD}.{self.api.env.domain}' \ + and principal.is_service \ + and principal.service_name == 'HTTP': + try: + self.api.Command.server_show(principal.hostname) + except errors.NotFound: + pass # not an IPA server; proceed as usual + else: + # subject principal is an IPA server, so the + # ipa-ca.$DOMAIN name is allowed + continue + if _dns_name_matches_principal(name, principal, principal_obj): san_dnsnames.add(name) continue # nothing more to check for this alt name