[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy
Piotr Baranowski
piotr.baranowski at osec.pl
Wed Jun 17 14:45:24 UTC 2015
----- 17 cze 2015 o 16:21, Alexander Bokovoy abokovoy at redhat.com napisał(a):
> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisał(a):
>>
>>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>>>----- Oryginalna wiadomość -----
>>>>> Od: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>>> So you have two different certificates in use here and your client
>>>>> doesn't know about the other certificate (from your proxy). You need
>>>>> either to deliver that certificate to the client by yourself or change
>>>>> your proxying technology to something different.
>>>>>
>>>>> For example, you can use sniproxy which doesn't require in-the-middle
>>>>> certificate. https://github.com/dlundquist/sniproxy
>>>>
>>>>Thanks for that hint. I'll have a look at that.
>>>>
>>>>However I have an Idea:
>>>>If I could export ipa's mod_nss cert+key and then use them on my proxy running
>>>>mod_ssl that probably could solve the issue.
>>>>
>>>>Right?
>>> Sort of. Now you would have an issue of maintaining the certificate in
>>> multiple locations which would make rotation of it "interesting", so to
>>> say.
>>
>>Those would be only TWO certificates to manage. What's the challenge here?
> FreeIPA uses certmonger to rotate certificates when time approaches
> their expiration. Certmonger requests new certificate from the CA. In
> case you copied the certificate to some other server, you would need to
> manually maintain the other copy and there will be a period when IPA
> webserver's certificate would already be rotated but yours isn't.
>
> Setting certmonger to rotate the same certificate from two locations
> wouldn't work.
>
> I'm not saying it is hard, just that you should know what you are
> dealing with and accept window of blackout.
Good to know that.
Thanks for the heads-up.
I already exported the IPA CA cert, Server-Cert cert/key.
I'll have to wait untill maintenance window before i reload my apache.
Will keep you posted if that solved the problem.
Piotr
More information about the Freeipa-users
mailing list