Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-certificate should allow additional/custom subjectAltName | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | SSL | Assignee: | Jannik Ahlers <ahlers> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | enhancement | ||
Priority: | P5 | CC: | best, birkefeld, botner, brodersen, damrose, denissen, forge.univention.org, gulden, requate, scheinig, schneider, stoeckigt |
Version: | UCS 4.3 | Flags: | grandjean:
Patch_Available+
|
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=44639 | ||
What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017083021000457 | Bug group (optional): | External feedback |
Max CVSS v3 score: | |||
Attachments: | Patch for make-certificate.sh |
Description
Michael Grandjean
2017-04-25 19:29:15 CEST
Requested during technical training. Created attachment 9021 [details]
Patch for make-certificate.sh
Attached is a patch to get all CNAMEs for a given FQDN from the LDAP to create a certificate with all CNAMEs as subjectAlternativeName. *** Bug 44960 has been marked as a duplicate of this bug. *** I think in my ticket this feature would prevent a lot of additional extra effort for the customer. Successful build Package: univention-ssl Version: 12.0.0-13A~4.3.0.201810011332 Branch: ucs_4.3-0 Scope: errata4.3-2 univention-ssl (12.0.0-13) 9063af544ba5 | Bug #44469: Merge branch 'jahlers/44469-san-certs' into 4.3-2 6383b62efe2e | Bug #44469: enable dns aliases in certificate creation univention-ssl.yaml 2a1b51772588 | Bug #44469: yaml I applied Timo's patch. Also, since Bug #41013 cert names don't have to be unique anymore. I changed that creating a new cert now does not revoke any old certs of the dn. When creating an alias record, a new cert will not be created automatically. I created a feature request for this: Bug #47886 OK: univention-ssl.yaml OK: errata-announce -V --only univention-ssl.yaml OK: apt install univention-ssl OK 6383b62efe2e OK: udm computers/memberserver create --position "cn=memberserver,cn=computers,$(ucr get ldap/base)" --set name=bug44469 --set password=univention --set network="$(udm networks/network list | sed -ne 's/^DN: //p;T;q')" --set dnsEntryZoneAlias="$(ucr get domainname) $(udm dns/forward_zone list | sed -ne 's/^DN: //p;T;q') bugzilla44469" OK: openssl x509 -noout -text -in /etc/univention/ssl/bug44469/cert.pem | grep DNS: OK: udm computers/memberserver modify --dn "cn=bug44469,cn=memberserver,cn=computers,$(ucr get ldap/base)" --append dnsEntryZoneAlias="$(ucr get domainname) $(udm dns/forward_zone list | sed -ne 's/^DN: //p;T;q') issue44469" FAIL: udm dns/forward_zone create --position "cn=dns,$(ucr get ldap/base)" --set nameserver="$(hostname -f)" --set zone='pub.lic' udm computers/memberserver create --position "cn=memberserver,cn=computers,$(ucr get ldap/base)" --set name=other44469 --set password=univention --set network="$(udm networks/network list | sed -ne 's/^DN: //p;T;q')" --set dnsEntryZoneAlias="$(ucr get domainname) $(udm dns/forward_zone list --filter zoneName=pub.lic | sed -ne 's/^DN: //p;T;q') www" dig +nocomments +nocmd +nostats www.pub.lic. cname # www.pub.lic. 900 IN CNAME other44469.phahn.qa. ^^^^^^^^^^^^ openssl x509 -noout -text -in /etc/univention/ssl/other44469/cert.pem | grep DNS: # DNS:other44469.phahn.qa, DNS:other44469, DNS:www, DNS:www.phahn.qa ^^^^^^^^^^^^ [4.3-2 fcaf06d47a] Bug #44469 SSL: Fix DNS alias lookup [4.3-2 6594def99b] Bug #44469: YAML Package: univention-ssl Version: 12.0.0-15A~4.3.0.201810301104 Branch: ucs_4.3-0 Scope: errata4.3-2 OK: apt-get install univention-ssl=12.0.0-15A~4.3.0.201810301104 OK: errata-announce univention-ssl.yaml OK: univention-ssl.yaml OK: cname OK: /var/log/univention/listener.log OK: ./debian/rules override_dh_auto_test TODO: Add ucs-test -> Janik i added the test 101_ssl_cname_san, which tests SAN creation for the default DNS zone and another DNS zone. Successful build Package: ucs-test Version: 8.0.28-222A~4.3.0.201811091144 Branch: ucs_4.3-0 Scope: errata4.3-2 baa93918a8de2ea1dd9f927eb40dd720acaea93a Bug #44469: Merge branch 'jahlers/44469-san-certs' into 4.3-2 7f4aee85aa093623c706bf9f659ac0afe9c5575f Bug #44469: add test 101_ssl_cname_san, translate comments to english ^^^^^ Ignore the 'translate comments to english', I forgot to fix the commit message. *** Bug 44639 has been marked as a duplicate of this bug. *** |