https://bugzilla.redhat.com/show_bug.cgi?id=866955 (Red Hat Enterprise Linux 6)
Description of problem: When trying to sign a certificat request by IPA, which contains subjectAltName apart from subject(CN) as one of it's extensions, ipa doesn't sign the request and fails with below error: ipa cert-request: ERROR: invalid 'fqdn': must be Unicode text ipa cert-request server.csr --principal=HTTP/sv-1327lvu45.mgtlu.1327.local --add #Fails with the following error: #ipa: ERROR: invalid 'fqdn': must be Unicode text Version-Release number of selected component (if applicable): The issue doesn't occur when csr does not have subjectAltName Versions: ipa-server-2.2.0-16.el6.x86_64 Steps to Reproduce: 1.Install ipa server with ca (dogtag) 2. Create a certificate request with subjectAltName openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key -config openssl-san.cnf 3. sign the request. ipa cert-request server.csr --principal=HTTP/sv-1327lvu45.mgtlu.1327.local --add #Fails with the following error: #ipa: ERROR: invalid 'fqdn': must be Unicode text Actual results: ipa ca doesn't sign csr which has subjectAltName. Expected results: ipa ca should sign csr which has subjectAltName Additional info: openssl-san.cnf file $cat 10-openssl-san.cnf [req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no encrypt_key = no [req_distinguished_name] countryName = LU stateOrProvinceName = Luxembourg localityName = Luxembourg 0.organizationName = EBRC organizationalUnitName = EBRC commonName = sv-1327lvu45.mgtlu.1327.local emailAddress = ccc@ebrc.com [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = sv-1327lvu45.mgtlu.1327.local
I was wrong in moving it into 3.2. It should be 3.0.1.
attachment freeipa-rcrit-1066-altname.patch
master: 4a97fd0[[BR]] ipa-3-0: 68933b9
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.