[Freeipa-users] subjectAlternitiveName for webservice

Rob Crittenden rcritten at redhat.com
Thu Mar 26 15:48:36 UTC 2015 

Matt . wrote:
> HI Rob,
> 
> Yes something is wrong there I guess.

In any case, it doesn't apply to what you're trying to do.

> But still, I actually need to add a SAN to the webserver cert, which
> is different I think than the services at least.
> 
> So the question there is... how ?

What webserver cert? Are you trying to load balance the IPA services via
DNS?

Not knowing what you want, I'm just answering what you are ASKING. That
is not the same as giving a proper answer. I have the feeling you want
to load balance IPA in general which isn't going to work without a ton
of (ongoing) manual effort. Even Microsoft recommends against trying
this in its AD environment: http://support.microsoft.com/en-us/kb/325608

In any case, the instructions I've already provided still apply.

If you want to replace the Apache webserver cert you'll just need to do
a couple of things first which has the potential of completely breaking
IPA, so you'll need to be careful.

Before you do anything, backup *.db in /etc/httpd/alias.

Stop tracking the Apache cert in certmonger:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

Delete the existing cert:

# certutil -D -d /etc/httpd/alias -n Server-Cert

Like I said, destructive.

Finally use certmonger to get a new cert that includes a SAN. The syntax
is slightly different than before, mostly because I'm just guessing in
the dark because you aren't including enough details into what you're
trying.

# ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
-K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

In this case the IPA server is ipa1.example.com and you're creating a
SAN for ipa.example.com.

Restart httpd.

Note that this doesn't solve the Kerberos problem so cli access will
still not work as expected. The UI _might_ work using forms-based
authentication.

I'd strongly urge you to think about the top of this e-mail before
proceeding onto the bottom.

rob

> 
> Cheers,
> 
> Matt
> 
> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> When digging around I see this documentation:
>>>
>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>
>>> I would except that server.example.com is not going to be accepted by
>>> IPA when you visit the webgui like that ?
>>
>> These are SRV records for the ldap service. Think of it as discovery for
>> who provides ldap service in the domain. It isn't something used by a
>> web browser.
>>
>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>> think it should be example.com and not server.example.com. But in any
>> case it is irrelevant to a browser.
>>
>> rob
>>

More information about the Freeipa-users mailing list