[Freeipa-users] subjectAlternitiveName for webservice
Matt .
yamakasi.014 at gmail.com
Thu Mar 26 00:57:35 UTC 2015
OK, quite clear but I think that is not going to help me, if you ask
me, I might be wrong here as this is what I get:
# wget https://ldap.mydomain.tld/ipa/json
--2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json
Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
Connecting to ldap.mydomain.tld
(ldap.mydomain.tld)|10.100.0.250|:443... connected.
ERROR: cannot verify ldap.mydomain.tld's certificate, issued by
'/O=MYDOMAIN.TLD/CN=Certificate Authority':
Self-signed certificate encountered.
ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't
match requested host name 'ldap.mydomain.tld'.
To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'.
(I used the gui that actually worked quite OK following the docs,
tried your version also but got stuck as I did it on the IPA server,
need to recheck that)
I think this happens because I use the ca.crt from /etc/ipa/ca.crt and
the one I generated in the same file. I need to have them both in my
curl certificate.
I might be wrong here, but this is where I'm at.
Thanks again for your patience.
Matt
2015-03-20 15:39 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> The right way to sequest a SAN, this seems to need some extra config file ?
>
> Like I said before, use certmonger, it makes life easier.
>
> I'll create a new host balancer.example.com with a HTTP service. I'll
> generate a cert with a SAN for idp.example.com in that service. I'm
> generating the cert on idp.example.com, hence the service-add-host bit.
>
> On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)
>
> # kinit admin
> # ipa host-add balancer.example.com
> # ipa service-add HTTP/balancer.example.com --force
> # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
> # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
> /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
> HTTP/balancer.example.com -D idp.example.com
> # getcert list -i <id> until it goes to MONITORING
> # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 11 (0xb)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=EXAMPLE.COM, CN=Certificate Authority
> Validity
> Not Before: Mar 20 14:29:33 2015 GMT
> Not After : Mar 20 14:29:33 2017 GMT
> Subject: O=EXAMPLE.COM, CN=balancer.example.com
> [SNIP]
> X509v3 extensions:
> [SNIP]
> X509v3 Subject Alternative Name:
> DNS:idp.example.com, othername:<unsupported>,
> othername:<unsupported>
> [SNIP]
>
> SAN was definitely not supported in 3.0. Not sure about 3.3, should work
> in 4.0+.
>
> rob
>
>>
>> 2015-03-19 15:04 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Isn't this documented well (yet) ?
>>>
>>> Is what documented yet?
>>>
>>> rob
>>>
>>>>
>>>> The RH docs are always very detailed about it, but I'm not sure
>>>> here... I see solutions but not 100% from A to Z to make sure we do it
>>>> the proper way.
>>>>
>>>> 2015-03-12 16:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>> Not worried, I need to try.
>>>>>
>>>>> I think it's not an issue as we use persistance for the connection. We
>>>>> only do some user adding/chaging stuff, nothing really fancy but it
>>>>> needs to be decent. As persistence comes in I think we don't have to
>>>>> worry about it, we discussed that here earlier as I remember.
>>>>>
>>>>> Or do I ?
>>>>>
>>>>> Something else; did you had a nice PTO ?
>>>>>
>>>>> 2015-03-12 15:54 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>>> Matt . wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Security wise I can understand that.
>>>>>>>
>>>>>>> Yes I have read about that... but that would let me use the
>>>>>>> loadbalancer to connect ? I was not sure if the SAN would "connect" as
>>>>>>> "other" host.
>>>>>>
>>>>>> Kerberos through a load balancer can be a problem. Is this what you're
>>>>>> worried about?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>>
>>>>>>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>>>>> Matt . wrote:
>>>>>>>>> Hi Guys,
>>>>>>>>>
>>>>>>>>> Is Rob able to look at this ? I hope he has some sparetime as I'm
>>>>>>>>> kinda stuck with this issue.
>>>>>>>>
>>>>>>>> Wildcard certs are not supported.
>>>>>>>>
>>>>>>>> You can request a SAN with certmonger using -D <FQDN>. That will work
>>>>>>>> with IPA 4.x for sure, maybe 3.3.5.
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>> I'm reviewing some things.
>>>>>>>>>>
>>>>>>>>>> When I'm using a loadbalancer, which I prefer in this setup I need to
>>>>>>>>>> have the same certificates on both servers. Maybe a wildcard for my
>>>>>>>>>> domain could do instead of having only both fqdn's of the servers
>>>>>>>>>> including the loadbalancer's fqdn.
>>>>>>>>>>
>>>>>>>>>> But the question remains, how?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I will balance with IP persistance so I think there won't be any
>>>>>>>>>>> mixing as long as that "used" server is online.
>>>>>>>>>>>
>>>>>>>>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>>>>> On 03/06/2015 11:05 AM, Matt . wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, understood.
>>>>>>>>>>>>>
>>>>>>>>>>>>> But when a webservice does execute a command (from scripting) to a SVR
>>>>>>>>>>>>> record and the first is not reacable, would it try to do it again or
>>>>>>>>>>>>> will handle DNS this in front of it ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> I do a kinit against an IPA server using a keytab after I first
>>>>>>>>>>>>> checked if the user was able to auth himself using his ldap
>>>>>>>>>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff
>>>>>>>>>>>>> to the IPA server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server
>>>>>>>>>>>>> is down and doesn't even try to direct any of the commands to it...
>>>>>>>>>>>>> I'm not sure if the SRV will handle this well when doing these command
>>>>>>>>>>>>> from PHP for an example. Building in extra checks in front could be
>>>>>>>>>>>>> done but it not ideal as a loadbalancer can handle such things much
>>>>>>>>>>>>> better.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> OK, this makes things much more clear. Thanks for the explanation.
>>>>>>>>>>>> Rob. What is our failover logic for API?
>>>>>>>>>>>>
>>>>>>>>>>>> For CLI we use a negotiation and then we store a cookie so as long as the
>>>>>>>>>>>> whole conversation goes to the same server you should be fine. I do not
>>>>>>>>>>>> think you need to re-encrypt the traffic at load balancer and thus have a
>>>>>>>>>>>> cert there then if you can enforce the use of the same server in this case.
>>>>>>>>>>>>
>>>>>>>>>>>> The issue I anticipate is with Kerberos. I think you should not load balance
>>>>>>>>>>>> the Kerberos traffic, only the API commands starting with the negotiation.
>>>>>>>>>>>>
>>>>>>>>>>>> Rob does that make sense for you?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
>>>>>>>>>>>>>>> SRV won't fit here sorry to say.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I auth users, so their keytab should be the same between two masters I
>>>>>>>>>>>>>>> believe ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Each entity in Kerberos exchange has its own identity and key.
>>>>>>>>>>>>>> If you send a ticket that is destined to service A instead to service B
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> would not work unless they share the same keys and identity. Sharinf same
>>>>>>>>>>>>>> keys and identities between the servers just would not work with IPA.
>>>>>>>>>>>>>> Keep in mind that IPA clients and server need to work and fail over if
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>> do not have any load balancers and this is the common case. You are
>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>> to add one where it is really not needed creating overhead for yourself.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In that case... I need to add the altnames to the certs, but I'm not
>>>>>>>>>>>>>>> 100% there in step 6
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks again!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Matthijs
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 6.3.2015 15:39, Matt . wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using
>>>>>>>>>>>>>>>>> curl/json.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If we are talking purely about scripting, you can use IPA Python API.
>>>>>>>>>>>>>>>> It
>>>>>>>>>>>>>>>> will
>>>>>>>>>>>>>>>> handle fail over for you even without any load balancer. That would be
>>>>>>>>>>>>>>>> easiest
>>>>>>>>>>>>>>>> way.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> As I need redundancy and don't want to have it script managed, but one
>>>>>>>>>>>>>>>>> central point where I can tal to I use a loadbalancer.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Well, if you can control clients then the easiest and most universal
>>>>>>>>>>>>>>>> way
>>>>>>>>>>>>>>>> is to
>>>>>>>>>>>>>>>> use DNS SRV records and add failover logic to clients. That solution
>>>>>>>>>>>>>>>> works
>>>>>>>>>>>>>>>> even when servers are geographically distributed/in different networks
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> does not have single point of failure (the load balancer).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known
>>>>>>>>>>>>>>>>> on the IPA server because this is needed for the http service
>>>>>>>>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server
>>>>>>>>>>>>>>>>> and make it as an ALT name to it's Certificate.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> As the users are the same on both servers I would asume i can use a
>>>>>>>>>>>>>>>>> keytab for a user against both servers from my clients.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on
>>>>>>>>>>>>>>>> IPA
>>>>>>>>>>>>>>>> server have their own keytabs too. Every service on every server has
>>>>>>>>>>>>>>>> own
>>>>>>>>>>>>>>>> keytab with different key.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You need to talk with Simo or some other Kerberos guru about
>>>>>>>>>>>>>>>> possibility
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> sharing keytabs between IPA services.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Does this make it more clear ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'm still not sure if you want to have human users too or just API
>>>>>>>>>>>>>>>> clients.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> But as the user is the same, I could use the same keytab for each
>>>>>>>>>>>>>>>>>>> ipa
>>>>>>>>>>>>>>>>>>> server ?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I need to use the API indeed, so need to issue the http service.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Any other options ?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I do not really understand your use case. Could you describe it in
>>>>>>>>>>>>>>>>>> detail, please?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I
>>>>>>>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically
>>>>>>>>>>>>>>>>>>>> possible to use
>>>>>>>>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>>>>>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect
>>>>>>>>>>>>>>>>>>>> to ipa
>>>>>>>>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using
>>>>>>>>>>>>>>>>>>>> classical load
>>>>>>>>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force
>>>>>>>>>>>>>>>>>>>> you to mess
>>>>>>>>>>>>>>>>>>>> with certs and keytabs.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Petr Spacek @ Red Hat
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Thank you,
>>>>>>>>>>>>>> Dmitri Pal
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Thank you,
>>>>>>>>>>>> Dmitri Pal
>>>>>>>>>>>>
>>>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>
>>>
>
More information about the Freeipa-users
mailing list