ipa cert-request is supposed to check that the DNS names included in the SubjectAltName extension of CSR are authorized to be used with the certificate profile used with the CSR.
A regression introduced in c2af032 effectively bypassed this check, allowing the host principal to succesfully submit CSR with SAN DNS names of any host enrolled in FreeIPA domain.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1372597
Fixed in master:
- 25ed36f Fix CA ACL Check on SubjectAltNames
Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.1
to comment on this ticket.