#8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
Closed: fixed 2 years ago by ftweedal. Opened 2 years ago by ftweedal.

Request for enhancement

For ACME support, and for consistent and straightforward client experience, the ACME service
should be reachable via the ipa-ca.$DOMAIN DNS name. ACME requires TLS. Therefore we need to add the ipa-ca.$DOMAIN DNS name to IPA servers' HTTP certificates.

(Part of ACME effort https://pagure.io/freeipa/issue/4751 )


How do you plan to implement the feature?

The cert plugin verifies SAN names and only permits SAN entries for the current host and hosts that are managed by the current host. The ipa-ca.$DOMAIN DNS entry has no host principal entry. That means it is not possible to make ipa-ca managed by server.

Metadata Update from @cheimes:
- Custom field blocking adjusted to 4751

2 years ago

@cheimes there's already a pull request: https://github.com/freeipa/freeipa/pull/4193

The commit that deals with the specific issue you raised is https://github.com/freeipa/freeipa/pull/4193/commits/7faf29f9d0c3300218cbde1460d13752bb937e7b. Check out the diff and we can continue the discussion either here or in the PR.

Metadata Update from @ftweedal:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4193

2 years ago

master:

  • 0711c4a certmonger: avoid mutable default argument
  • e0fb381 certmonger: move 'criteria' description to module docstring
  • 18ebd11 certmonger: support dnsname as request search criterion
  • 4cf9c86 httpinstance: add fqdn and ipa-ca alias to Certmonger request
  • f7c4564 cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
  • 4d5b5a9 httpinstance: add ipa-ca.$DOMAIN alias in initial request
  • cf4c2c6 upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
  • 45b5384 (HEAD) ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

ipa-4-8:

  • 0e9b777 certmonger: avoid mutable default argument
  • ff7d066 certmonger: move 'criteria' description to module docstring
  • b127bad certmonger: support dnsname as request search criterion
  • 5287358 httpinstance: add fqdn and ipa-ca alias to Certmonger request
  • 4b24129 cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
  • 5275342 httpinstance: add ipa-ca.$DOMAIN alias in initial request
  • c445cef upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
  • 8e92190 ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname

master:

  • 9d9012f httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
  • e6fda6f (HEAD) upgrade: avoid stopping certmonger when fixing requests

ipa-4-8:

  • 00dd80b httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
  • f1564cd upgrade: avoid stopping certmonger when fixing requests

Login to comment on this ticket.

Metadata