The SSL server doesn't conform to RFC 2818. Even with a fresh installation the server cert for the Tomcat instance on port 8443 has not subjectAltName extension. It should have a SAN extension with dNSName equal to its subject's CN.
Chrome has an outstanding bug to remove hostname matching in CN: [support for common names in certificates; only support Subject Alt Names]]([https://code.google.com/p/chromium/issues/detail?id=308330|Remove)
I found the problem while I was working on #1253. With certificate validation, requests still emits a warning:
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no subjectAltName, falling back to check for a commonName for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
subjectAltName
commonName
The ticket is related to https://fedorahosted.org/freeipa/ticket/4970
Per CS/DS meeting of 07/06/2015 after obtaining additional information from cheimes: 10.3
Metadata Update from @cheimes: - Issue set to the milestone: UNTRIAGED
I'm sure we have solved this now. But please reopen if I am mistaken.
Metadata Update from @ftweedal: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2023
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.