[freeipa PR#4193][opened] [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/4193
Author: frasertweedale
Title: #4193: [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
Action: opened
PR body:
"""
First PR for the ACME effort. This is needed so ACME clients can reach IPA
ACME service via the ``ipa-ca.$DOMAIN`` DNS name (ACME requires TLS).
This change is also reasonable, independent of the ACME effort.
https://pagure.io/freeipa/issue/8186
```
83a5a3aa6 (Fraser Tweedale, 11 hours ago)
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName, resubmit
the certificate request to add the name. This action is performed after
the tracking request has already been updated.
Note: due to https://pagure.io/certmonger/issue/143 the resubmitted
request, if it does not immediately succeed and if the notAfter date of the
current certificate is still far off, the request could get stuck in state
CA_UNREACHABLE until a Certmonger restart. There is not much we can do
about that in the middle of ipa-server-upgrade.
Part of: https://pagure.io/freeipa/issue/8186
efe071539 (Fraser Tweedale, 12 hours ago)
httpinstance: add ipa-ca.$DOMAIN alias in initial request
For new server/replica installation, issue the HTTP server certificate with
the 'ipa-ca.$DOMAIN' SAN dNSName. This is accomplished by adding the name
to the Certmonger tracking request.
Part of: https://pagure.io/freeipa/issue/8186
feea49420 (Fraser Tweedale, 3 days ago)
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
ACME support requires TLS and we want ACME clients to access the service
via the ipa-ca.$DOMAIN DNS name. So we need to add the ipa-ca.$DOMAIN
dNSName to IPA servers' HTTP certificates. To facilitiate this, add a
special case to the cert-request command processing. The rule is:
- if the dnsName being validated is "ipa-ca.$DOMAIN"
- and the subject principal is an "HTTP/..." service
- and the subject principal's hostname is an IPA server
Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed. Otherwise
continue with the usual dnsName validation.
Part of: https://pagure.io/freeipa/issue/8186
62129a44a (Fraser Tweedale, 3 days ago)
httpinstance: add fqdn and ipa-ca alias to Certmonger request
When (re-)tracking the HTTP certificate, explicitly add the server FQDN and
ipa-ca.$DOMAIN DNS names to the Certmonger tracking request.
Part of: https://pagure.io/freeipa/issue/8186
fe3489cf4 (Fraser Tweedale, 4 days ago)
certmonger: support dnsname as request search criterion
We need to be able to filter Certmonger tracking requests by the DNS names
defined for the request. The goal is to add the
'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so we
will use that name as a search criterion. Implement support for this.
As a result of this commit it will be easy to add support for subset match
of other Certmonger request list properties. Just add the property name to
the ARRAY_PROPERTIES list (and update the
'criteria' description in the module docstring!)
Part of: https://pagure.io/freeipa/issue/8186
ea6d31bdf (Fraser Tweedale, 4 days ago)
certmonger: move 'criteria' description to module docstring
The 'criteria' parameter is used by several subroutines in the
ipalib.install.certmonger module. It has incomplete documentation spread
across several of these subroutines. Move the documentation to the module
docstring and reference it where appropriate.
Part of: https://pagure.io/freeipa/issue/8186
aa7b88ad6 (Fraser Tweedale, 4 days ago)
certmonger: avoid mutable default argument
certmonger._get_requests has a mutable default argument. Although at the
present time it is never modified, this is an antipattern to be avoided.
Part of: https://pagure.io/freeipa/issue/8186
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4193/head:pr4193
git checkout pr4193
3 years, 6 months