[Freeipa-users] subjectAlternitiveName for webservice
Matt .
yamakasi.014 at gmail.com
Thu Mar 26 09:45:52 UTC 2015
When digging around I see this documentation:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?
2015-03-26 1:57 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> OK, quite clear but I think that is not going to help me, if you ask
> me, I might be wrong here as this is what I get:
>
> # wget https://ldap.mydomain.tld/ipa/json
> --2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json
> Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
> Connecting to ldap.mydomain.tld
> (ldap.mydomain.tld)|10.100.0.250|:443... connected.
> ERROR: cannot verify ldap.mydomain.tld's certificate, issued by
> '/O=MYDOMAIN.TLD/CN=Certificate Authority':
> Self-signed certificate encountered.
> ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't
> match requested host name 'ldap.mydomain.tld'.
> To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'.
>
> (I used the gui that actually worked quite OK following the docs,
> tried your version also but got stuck as I did it on the IPA server,
> need to recheck that)
>
> I think this happens because I use the ca.crt from /etc/ipa/ca.crt and
> the one I generated in the same file. I need to have them both in my
> curl certificate.
>
> I might be wrong here, but this is where I'm at.
>
> Thanks again for your patience.
>
> Matt
>
>
>
> 2015-03-20 15:39 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> The right way to sequest a SAN, this seems to need some extra config file ?
>>
>> Like I said before, use certmonger, it makes life easier.
>>
>> I'll create a new host balancer.example.com with a HTTP service. I'll
>> generate a cert with a SAN for idp.example.com in that service. I'm
>> generating the cert on idp.example.com, hence the service-add-host bit.
>>
>> On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)
>>
>> # kinit admin
>> # ipa host-add balancer.example.com
>> # ipa service-add HTTP/balancer.example.com --force
>> # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
>> # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
>> /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
>> HTTP/balancer.example.com -D idp.example.com
>> # getcert list -i <id> until it goes to MONITORING
>> # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 11 (0xb)
>> Signature Algorithm: sha256WithRSAEncryption
>> Issuer: O=EXAMPLE.COM, CN=Certificate Authority
>> Validity
>> Not Before: Mar 20 14:29:33 2015 GMT
>> Not After : Mar 20 14:29:33 2017 GMT
>> Subject: O=EXAMPLE.COM, CN=balancer.example.com
>> [SNIP]
>> X509v3 extensions:
>> [SNIP]
>> X509v3 Subject Alternative Name:
>> DNS:idp.example.com, othername:<unsupported>,
>> othername:<unsupported>
>> [SNIP]
>>
>> SAN was definitely not supported in 3.0. Not sure about 3.3, should work
>> in 4.0+.
>>
>> rob
>>
>>>
>>> 2015-03-19 15:04 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> Isn't this documented well (yet) ?
>>>>
>>>> Is what documented yet?
>>>>
>>>> rob
>>>>
>>>>>
>>>>> The RH docs are always very detailed about it, but I'm not sure
>>>>> here... I see solutions but not 100% from A to Z to make sure we do it
>>>>> the proper way.
>>>>>
>>>>> 2015-03-12 16:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>> Not worried, I need to try.
>>>>>>
>>>>>> I think it's not an issue as we use persistance for the connection. We
>>>>>> only do some user adding/chaging stuff, nothing really fancy but it
>>>>>> needs to be decent. As persistence comes in I think we don't have to
>>>>>> worry about it, we discussed that here earlier as I remember.
>>>>>>
>>>>>> Or do I ?
>>>>>>
>>>>>> Something else; did you had a nice PTO ?
>>>>>>
>>>>>> 2015-03-12 15:54 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>>>> Matt . wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Security wise I can understand that.
>>>>>>>>
>>>>>>>> Yes I have read about that... but that would let me use the
>>>>>>>> loadbalancer to connect ? I was not sure if the SAN would "connect" as
>>>>>>>> "other" host.
>>>>>>>
>>>>>>> Kerberos through a load balancer can be a problem. Is this what you're
>>>>>>> worried about?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>>>
>>>>>>>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>>>>>> Matt . wrote:
>>>>>>>>>> Hi Guys,
>>>>>>>>>>
>>>>>>>>>> Is Rob able to look at this ? I hope he has some sparetime as I'm
>>>>>>>>>> kinda stuck with this issue.
>>>>>>>>>
>>>>>>>>> Wildcard certs are not supported.
>>>>>>>>>
>>>>>>>>> You can request a SAN with certmonger using -D <FQDN>. That will work
>>>>>>>>> with IPA 4.x for sure, maybe 3.3.5.
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>> I'm reviewing some things.
>>>>>>>>>>>
>>>>>>>>>>> When I'm using a loadbalancer, which I prefer in this setup I need to
>>>>>>>>>>> have the same certificates on both servers. Maybe a wildcard for my
>>>>>>>>>>> domain could do instead of having only both fqdn's of the servers
>>>>>>>>>>> including the loadbalancer's fqdn.
>>>>>>>>>>>
>>>>>>>>>>> But the question remains, how?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I will balance with IP persistance so I think there won't be any
>>>>>>>>>>>> mixing as long as that "used" server is online.
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>>>>>> On 03/06/2015 11:05 AM, Matt . wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, understood.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But when a webservice does execute a command (from scripting) to a SVR
>>>>>>>>>>>>>> record and the first is not reacable, would it try to do it again or
>>>>>>>>>>>>>> will handle DNS this in front of it ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I do a kinit against an IPA server using a keytab after I first
>>>>>>>>>>>>>> checked if the user was able to auth himself using his ldap
>>>>>>>>>>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff
>>>>>>>>>>>>>> to the IPA server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server
>>>>>>>>>>>>>> is down and doesn't even try to direct any of the commands to it...
>>>>>>>>>>>>>> I'm not sure if the SRV will handle this well when doing these command
>>>>>>>>>>>>>> from PHP for an example. Building in extra checks in front could be
>>>>>>>>>>>>>> done but it not ideal as a loadbalancer can handle such things much
>>>>>>>>>>>>>> better.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, this makes things much more clear. Thanks for the explanation.
>>>>>>>>>>>>> Rob. What is our failover logic for API?
>>>>>>>>>>>>>
>>>>>>>>>>>>> For CLI we use a negotiation and then we store a cookie so as long as the
>>>>>>>>>>>>> whole conversation goes to the same server you should be fine. I do not
>>>>>>>>>>>>> think you need to re-encrypt the traffic at load balancer and thus have a
>>>>>>>>>>>>> cert there then if you can enforce the use of the same server in this case.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The issue I anticipate is with Kerberos. I think you should not load balance
>>>>>>>>>>>>> the Kerberos traffic, only the API commands starting with the negotiation.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rob does that make sense for you?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <dpal at redhat.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
>>>>>>>>>>>>>>>> SRV won't fit here sorry to say.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I auth users, so their keytab should be the same between two masters I
>>>>>>>>>>>>>>>> believe ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Each entity in Kerberos exchange has its own identity and key.
>>>>>>>>>>>>>>> If you send a ticket that is destined to service A instead to service B
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> would not work unless they share the same keys and identity. Sharinf same
>>>>>>>>>>>>>>> keys and identities between the servers just would not work with IPA.
>>>>>>>>>>>>>>> Keep in mind that IPA clients and server need to work and fail over if
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>> do not have any load balancers and this is the common case. You are
>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>> to add one where it is really not needed creating overhead for yourself.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> In that case... I need to add the altnames to the certs, but I'm not
>>>>>>>>>>>>>>>> 100% there in step 6
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks again!
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Matthijs
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 6.3.2015 15:39, Matt . wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using
>>>>>>>>>>>>>>>>>> curl/json.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If we are talking purely about scripting, you can use IPA Python API.
>>>>>>>>>>>>>>>>> It
>>>>>>>>>>>>>>>>> will
>>>>>>>>>>>>>>>>> handle fail over for you even without any load balancer. That would be
>>>>>>>>>>>>>>>>> easiest
>>>>>>>>>>>>>>>>> way.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As I need redundancy and don't want to have it script managed, but one
>>>>>>>>>>>>>>>>>> central point where I can tal to I use a loadbalancer.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Well, if you can control clients then the easiest and most universal
>>>>>>>>>>>>>>>>> way
>>>>>>>>>>>>>>>>> is to
>>>>>>>>>>>>>>>>> use DNS SRV records and add failover logic to clients. That solution
>>>>>>>>>>>>>>>>> works
>>>>>>>>>>>>>>>>> even when servers are geographically distributed/in different networks
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> does not have single point of failure (the load balancer).
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known
>>>>>>>>>>>>>>>>>> on the IPA server because this is needed for the http service
>>>>>>>>>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server
>>>>>>>>>>>>>>>>>> and make it as an ALT name to it's Certificate.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As the users are the same on both servers I would asume i can use a
>>>>>>>>>>>>>>>>>> keytab for a user against both servers from my clients.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on
>>>>>>>>>>>>>>>>> IPA
>>>>>>>>>>>>>>>>> server have their own keytabs too. Every service on every server has
>>>>>>>>>>>>>>>>> own
>>>>>>>>>>>>>>>>> keytab with different key.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You need to talk with Simo or some other Kerberos guru about
>>>>>>>>>>>>>>>>> possibility
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> sharing keytabs between IPA services.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Does this make it more clear ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I'm still not sure if you want to have human users too or just API
>>>>>>>>>>>>>>>>> clients.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> But as the user is the same, I could use the same keytab for each
>>>>>>>>>>>>>>>>>>>> ipa
>>>>>>>>>>>>>>>>>>>> server ?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I need to use the API indeed, so need to issue the http service.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Any other options ?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I do not really understand your use case. Could you describe it in
>>>>>>>>>>>>>>>>>>> detail, please?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I
>>>>>>>>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically
>>>>>>>>>>>>>>>>>>>>> possible to use
>>>>>>>>>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>>>>>>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect
>>>>>>>>>>>>>>>>>>>>> to ipa
>>>>>>>>>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using
>>>>>>>>>>>>>>>>>>>>> classical load
>>>>>>>>>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force
>>>>>>>>>>>>>>>>>>>>> you to mess
>>>>>>>>>>>>>>>>>>>>> with certs and keytabs.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Petr^2 Spacek
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Petr Spacek @ Red Hat
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Thank you,
>>>>>>>>>>>>>>> Dmitri Pal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Thank you,
>>>>>>>>>>>>> Dmitri Pal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>
>>>>
>>
More information about the Freeipa-users
mailing list