[Freeipa-users] subjectAlternitiveName for webservice

Thu Mar 26 21:11:11 UTC 2015

Hi,

This should be it and worked for generating the cert with the altname
ldap.domain.tld

When I login and I go to services I get the following:

cannot connect to
'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
requested domain name does not match the server's certificate.

So I'm a little bit confused here as the certificate contains both hostnames.

A simple wget says the ldap-01 doesn't exist also:

 https://ldap-01.domain.tld/ipa/json
Connecting to ldap-01.domain.tld
(ldap-01.domain.tld)|10.100.0.251|:443... connected.
ERROR: no certificate subject alternative name matches
        requested host name 'ldap-01.domain.tld'.
To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'.

2015-03-26 20:43 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> Hi Rob,
>
> Thank you very much!
>
> I think this will work out as it's only https traffic.
>
> I will report back!
>
> Thanks a lot!
>
> Matt
>
> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> HI Rob,
>>>
>>> Yes something is wrong there I guess.
>>
>> In any case, it doesn't apply to what you're trying to do.
>>
>>> But still, I actually need to add a SAN to the webserver cert, which
>>> is different I think than the services at least.
>>>
>>> So the question there is... how ?
>>
>> What webserver cert? Are you trying to load balance the IPA services via
>> DNS?
>>
>> Not knowing what you want, I'm just answering what you are ASKING. That
>> is not the same as giving a proper answer. I have the feeling you want
>> to load balance IPA in general which isn't going to work without a ton
>> of (ongoing) manual effort. Even Microsoft recommends against trying
>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608
>>
>> In any case, the instructions I've already provided still apply.
>>
>> If you want to replace the Apache webserver cert you'll just need to do
>> a couple of things first which has the potential of completely breaking
>> IPA, so you'll need to be careful.
>>
>> Before you do anything, backup *.db in /etc/httpd/alias.
>>
>> Stop tracking the Apache cert in certmonger:
>>
>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert
>>
>> Delete the existing cert:
>>
>> # certutil -D -d /etc/httpd/alias -n Server-Cert
>>
>> Like I said, destructive.
>>
>> Finally use certmonger to get a new cert that includes a SAN. The syntax
>> is slightly different than before, mostly because I'm just guessing in
>> the dark because you aren't including enough details into what you're
>> trying.
>>
>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt
>>
>> In this case the IPA server is ipa1.example.com and you're creating a
>> SAN for ipa.example.com.
>>
>> Restart httpd.
>>
>> Note that this doesn't solve the Kerberos problem so cli access will
>> still not work as expected. The UI _might_ work using forms-based
>> authentication.
>>
>> I'd strongly urge you to think about the top of this e-mail before
>> proceeding onto the bottom.
>>
>> rob
>>
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> When digging around I see this documentation:
>>>>>
>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>>>
>>>>> I would except that server.example.com is not going to be accepted by
>>>>> IPA when you visit the webgui like that ?
>>>>
>>>> These are SRV records for the ldap service. Think of it as discovery for
>>>> who provides ldap service in the domain. It isn't something used by a
>>>> web browser.
>>>>
>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>>>> think it should be example.com and not server.example.com. But in any
>>>> case it is irrelevant to a browser.
>>>>
>>>> rob
>>>>
>>