f7c4564 cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers

Authored and Committed by ftweedal 4 years ago
    cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
    
    For detailed discussion on the purpose of this change and the design
    decisions made, see `git log -1 $THIS_COMMIT~1`.
    
    ACME support requires TLS and we want ACME clients to access the
    service via the ipa-ca.$DOMAIN DNS name.  So we need to add the
    ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates.  To
    facilitiate this, add a special case to the cert-request command
    processing.  The rule is:
    
    - if the dnsName being validated is "ipa-ca.$DOMAIN"
    - and the subject principal is an "HTTP/..." service
    - and the subject principal's hostname is an IPA server
    
    Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed.
    Otherwise continue with the usual dnsName validation.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    
        
file modified
+16 -1