[Freeipa-users] subjectAlternitiveName for webservice

Matt . yamakasi.014 at gmail.com
Thu Mar 26 21:30:02 UTC 2015 

OK some new update:

When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a
301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt

But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my
browser it just works fine.

2015-03-26 22:11 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> Hi,
>
> This should be it and worked for generating the cert with the altname
> ldap.domain.tld
>
> When I login and I go to services I get the following:
>
> cannot connect to
> 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
> (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
> requested domain name does not match the server's certificate.
>
> So I'm a little bit confused here as the certificate contains both hostnames.
>
> A simple wget says the ldap-01 doesn't exist also:
>
>  https://ldap-01.domain.tld/ipa/json
> Connecting to ldap-01.domain.tld
> (ldap-01.domain.tld)|10.100.0.251|:443... connected.
> ERROR: no certificate subject alternative name matches
>         requested host name 'ldap-01.domain.tld'.
> To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'.
>
>
>
> 2015-03-26 20:43 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Rob,
>>
>> Thank you very much!
>>
>> I think this will work out as it's only https traffic.
>>
>> I will report back!
>>
>> Thanks a lot!
>>
>> Matt
>>
>> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> HI Rob,
>>>>
>>>> Yes something is wrong there I guess.
>>>
>>> In any case, it doesn't apply to what you're trying to do.
>>>
>>>> But still, I actually need to add a SAN to the webserver cert, which
>>>> is different I think than the services at least.
>>>>
>>>> So the question there is... how ?
>>>
>>> What webserver cert? Are you trying to load balance the IPA services via
>>> DNS?
>>>
>>> Not knowing what you want, I'm just answering what you are ASKING. That
>>> is not the same as giving a proper answer. I have the feeling you want
>>> to load balance IPA in general which isn't going to work without a ton
>>> of (ongoing) manual effort. Even Microsoft recommends against trying
>>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608
>>>
>>> In any case, the instructions I've already provided still apply.
>>>
>>> If you want to replace the Apache webserver cert you'll just need to do
>>> a couple of things first which has the potential of completely breaking
>>> IPA, so you'll need to be careful.
>>>
>>> Before you do anything, backup *.db in /etc/httpd/alias.
>>>
>>> Stop tracking the Apache cert in certmonger:
>>>
>>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert
>>>
>>> Delete the existing cert:
>>>
>>> # certutil -D -d /etc/httpd/alias -n Server-Cert
>>>
>>> Like I said, destructive.
>>>
>>> Finally use certmonger to get a new cert that includes a SAN. The syntax
>>> is slightly different than before, mostly because I'm just guessing in
>>> the dark because you aren't including enough details into what you're
>>> trying.
>>>
>>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
>>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt
>>>
>>> In this case the IPA server is ipa1.example.com and you're creating a
>>> SAN for ipa.example.com.
>>>
>>> Restart httpd.
>>>
>>> Note that this doesn't solve the Kerberos problem so cli access will
>>> still not work as expected. The UI _might_ work using forms-based
>>> authentication.
>>>
>>> I'd strongly urge you to think about the top of this e-mail before
>>> proceeding onto the bottom.
>>>
>>> rob
>>>
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> When digging around I see this documentation:
>>>>>>
>>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>>>>
>>>>>> I would except that server.example.com is not going to be accepted by
>>>>>> IPA when you visit the webgui like that ?
>>>>>
>>>>> These are SRV records for the ldap service. Think of it as discovery for
>>>>> who provides ldap service in the domain. It isn't something used by a
>>>>> web browser.
>>>>>
>>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>>>>> think it should be example.com and not server.example.com. But in any
>>>>> case it is irrelevant to a browser.
>>>>>
>>>>> rob
>>>>>
>>>

More information about the Freeipa-users mailing list