Univention Bugzilla – Bug 44469
univention-certificate should allow additional/custom subjectAltName
Last modified: 2021-10-26 12:18:16 CEST
univention-certificate uses the FQDN and the hostname for the "Subject Alternative Name" in certificates: # grep "$HOSTNAME" "/etc/univention/ssl/$HOSTNAME/openssl.cnf" CN = ucs-7125.intranet.example.org subjectAltName = DNS:ucs-7125.intranet.example.org, DNS:ucs-7125 But there are cases, where we want or need to add other DNS names to this field, e.g. a DNS Alias or an externally available DNS name. Scenario: 1. We have a server called cloud01.intranet.example.org with a DNS alias cloud.intranet.example.org → the certificate should be valid for both FQDNs. 2. We have an internal server called webmail.intranet.example.org and we have an external DNS record for webmail.example.org The latter is now redirected via NAT to the internal system. → the certificate should be valid for both FQDNs.
Requested during technical training.
Created attachment 9021 [details] Patch for make-certificate.sh
Attached is a patch to get all CNAMEs for a given FQDN from the LDAP to create a certificate with all CNAMEs as subjectAlternativeName.
*** Bug 44960 has been marked as a duplicate of this bug. ***
I think in my ticket this feature would prevent a lot of additional extra effort for the customer.
Successful build Package: univention-ssl Version: 12.0.0-13A~4.3.0.201810011332 Branch: ucs_4.3-0 Scope: errata4.3-2 univention-ssl (12.0.0-13) 9063af544ba5 | Bug #44469: Merge branch 'jahlers/44469-san-certs' into 4.3-2 6383b62efe2e | Bug #44469: enable dns aliases in certificate creation univention-ssl.yaml 2a1b51772588 | Bug #44469: yaml I applied Timo's patch. Also, since Bug #41013 cert names don't have to be unique anymore. I changed that creating a new cert now does not revoke any old certs of the dn. When creating an alias record, a new cert will not be created automatically. I created a feature request for this: Bug #47886
OK: univention-ssl.yaml OK: errata-announce -V --only univention-ssl.yaml OK: apt install univention-ssl OK 6383b62efe2e OK: udm computers/memberserver create --position "cn=memberserver,cn=computers,$(ucr get ldap/base)" --set name=bug44469 --set password=univention --set network="$(udm networks/network list | sed -ne 's/^DN: //p;T;q')" --set dnsEntryZoneAlias="$(ucr get domainname) $(udm dns/forward_zone list | sed -ne 's/^DN: //p;T;q') bugzilla44469" OK: openssl x509 -noout -text -in /etc/univention/ssl/bug44469/cert.pem | grep DNS: OK: udm computers/memberserver modify --dn "cn=bug44469,cn=memberserver,cn=computers,$(ucr get ldap/base)" --append dnsEntryZoneAlias="$(ucr get domainname) $(udm dns/forward_zone list | sed -ne 's/^DN: //p;T;q') issue44469" FAIL: udm dns/forward_zone create --position "cn=dns,$(ucr get ldap/base)" --set nameserver="$(hostname -f)" --set zone='pub.lic' udm computers/memberserver create --position "cn=memberserver,cn=computers,$(ucr get ldap/base)" --set name=other44469 --set password=univention --set network="$(udm networks/network list | sed -ne 's/^DN: //p;T;q')" --set dnsEntryZoneAlias="$(ucr get domainname) $(udm dns/forward_zone list --filter zoneName=pub.lic | sed -ne 's/^DN: //p;T;q') www" dig +nocomments +nocmd +nostats www.pub.lic. cname # www.pub.lic. 900 IN CNAME other44469.phahn.qa. ^^^^^^^^^^^^ openssl x509 -noout -text -in /etc/univention/ssl/other44469/cert.pem | grep DNS: # DNS:other44469.phahn.qa, DNS:other44469, DNS:www, DNS:www.phahn.qa ^^^^^^^^^^^^
[4.3-2 fcaf06d47a] Bug #44469 SSL: Fix DNS alias lookup [4.3-2 6594def99b] Bug #44469: YAML
Package: univention-ssl Version: 12.0.0-15A~4.3.0.201810301104 Branch: ucs_4.3-0 Scope: errata4.3-2 OK: apt-get install univention-ssl=12.0.0-15A~4.3.0.201810301104 OK: errata-announce univention-ssl.yaml OK: univention-ssl.yaml OK: cname OK: /var/log/univention/listener.log OK: ./debian/rules override_dh_auto_test TODO: Add ucs-test -> Janik
<http://errata.software-univention.de/ucs/4.3/297.html>
i added the test 101_ssl_cname_san, which tests SAN creation for the default DNS zone and another DNS zone. Successful build Package: ucs-test Version: 8.0.28-222A~4.3.0.201811091144 Branch: ucs_4.3-0 Scope: errata4.3-2 baa93918a8de2ea1dd9f927eb40dd720acaea93a Bug #44469: Merge branch 'jahlers/44469-san-certs' into 4.3-2 7f4aee85aa093623c706bf9f659ac0afe9c5575f Bug #44469: add test 101_ssl_cname_san, translate comments to english ^^^^^ Ignore the 'translate comments to english', I forgot to fix the commit message.
*** Bug 44639 has been marked as a duplicate of this bug. ***