cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers

For detailed discussion on the purpose of this change and the design decisions made, see `git log -1 $THIS_COMMIT~1`. ACME support requires TLS and we want ACME clients to access the service via the ipa-ca.$DOMAIN DNS name. So we need to add the ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To facilitiate this, add a special case to the cert-request command processing. The rule is: - if the dnsName being validated is "ipa-ca.$DOMAIN" - and the subject principal is an "HTTP/..." service - and the subject principal's hostname is an IPA server Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed. Otherwise continue with the usual dnsName validation. Part of: https://pagure.io/freeipa/issue/8186 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-26 16:16:31 -06:00 · 2020-01-31 23:03:08 +11:00 · 2020-01-31 23:03:08 +11:00 · f7c45641fe
commit f7c45641fe
parent 4cf9c8689f
1 changed files with 16 additions and 1 deletions
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@ -36,7 +36,7 @@ from ipalib import api
 from ipalib import errors, messages
 from ipalib import x509
 from ipalib import ngettext
-from ipalib.constants import IPA_CA_CN
+from ipalib.constants import IPA_CA_CN, IPA_CA_RECORD
 from ipalib.crud import Create, PKQuery, Retrieve, Search
 from ipalib.frontend import Method, Object
 from ipalib.parameters import (
@ -799,6 +799,21 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):

                name = gn.value

+                # Special case: if the DNS name is ipa-ca.$DOMAIN and if the
+                # subject principal is the HTTP service for an IPA server
+                # then allow the name.
+                if name == f'{IPA_CA_RECORD}.{self.api.env.domain}' \
+                        and principal.is_service \
+                        and principal.service_name == 'HTTP':
+                    try:
+                        self.api.Command.server_show(principal.hostname)
+                    except errors.NotFound:
+                        pass  # not an IPA server; proceed as usual
+                    else:
+                        # subject principal is an IPA server, so the
+                        # ipa-ca.$DOMAIN name is allowed
+                        continue
+
                if _dns_name_matches_principal(name, principal, principal_obj):
                    san_dnsnames.add(name)
                    continue  # nothing more to check for this alt name