Found a discussion of this here:
https://frasertweedale.github.io/blog-redhat/posts/2019-02-18-freeipa-san-ip.html
Summary: Unless freeipa's DNS is in use, even if the sysadmins know the
IPS to be correct owing to dnssec supported resolvers, freeipa can't
issue certificates with IP's in the SAN. There exists no --force
option for instances where the sysadmins do know the off-host resolvers
are complete and correct. It also appears freeipa won't even allow
freeipa dns to be installed but to use forwarders in this case.
According to the 2019 blog entry, there MUST be dns records in the LDAP
or freeipa can't issue certs with IP's in the SAN.
I think either a --permit-offhost-resolver or --skip-san-ip-check flag
for ipa-cert-request would put appropriate control in the local
sysadmin's hands.
The alternative is either to migrate away from freeipa for certificates,
leaving it only a kerberos/ldap Idm provider, or to create some cron job
that populates freeipa's dns from the authoritative offhost source (a
reverse-double-bind-dyn-ldap??)?? Or hack a custom ipaserver/plugins/cert.py
If we knew a flag in ipa-cert-request to allow local judgement to
control this situation was in the works, the temporary hack to
ipaserver/plugins/cert.py would be the best approach. The alternatives
are not very attractive.
Has all this been fixed in some newer version? Hopefully?
Thanks
Harry
---
Hi Freeipa Team
Am I correct that only if freeipa's internal DNS is active and current
that freeipa can issue certificates if IP addresses are in the SAN part
of the cert? Even if DNSSec supported resolvers with accurate info are
on the same RFC1918 subnet as freeipa and nslookup / dig report proper
answers?
I hit a wall trying to re-issue a certificate. We had freeipa's DNS
running a few years ago, when the certs were first issued. then migrated
to another resolver with better HA dnssec support.
Would freeipa be able to issue IPs in certificates if I enabled
freeipa's dns system but pointed it off-host for all resolutions? Or is
it required the DNS records be in local LDAP 'no matter what'.
Or perhaps a 'force because I actually do know what I'm doing' command
to issue such certificates with IPs in the SAN?
I feel like I'm missing something obvious here, so please help me out.
Thanks
Harry
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
