[Freeipa-users] subjectAlternitiveName for webservice

Matt . yamakasi.014 at gmail.com
Fri Mar 27 16:07:55 UTC 2015 

I'm almost there but what happens when I regenerate a certificate for
the ldap server I get the following when I visit it through the
loadbalancer:

no alternative certificate subject name matches target host name
'ldap-01.domain....'

I think this is strange as the certificate shows the ldap under the
altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
but only on the certificate itself.



2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> HI Rob,
>>
>> Yes something is wrong there I guess.
>
> In any case, it doesn't apply to what you're trying to do.
>
>> But still, I actually need to add a SAN to the webserver cert, which
>> is different I think than the services at least.
>>
>> So the question there is... how ?
>
> What webserver cert? Are you trying to load balance the IPA services via
> DNS?
>
> Not knowing what you want, I'm just answering what you are ASKING. That
> is not the same as giving a proper answer. I have the feeling you want
> to load balance IPA in general which isn't going to work without a ton
> of (ongoing) manual effort. Even Microsoft recommends against trying
> this in its AD environment: http://support.microsoft.com/en-us/kb/325608
>
> In any case, the instructions I've already provided still apply.
>
> If you want to replace the Apache webserver cert you'll just need to do
> a couple of things first which has the potential of completely breaking
> IPA, so you'll need to be careful.
>
> Before you do anything, backup *.db in /etc/httpd/alias.
>
> Stop tracking the Apache cert in certmonger:
>
> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert
>
> Delete the existing cert:
>
> # certutil -D -d /etc/httpd/alias -n Server-Cert
>
> Like I said, destructive.
>
> Finally use certmonger to get a new cert that includes a SAN. The syntax
> is slightly different than before, mostly because I'm just guessing in
> the dark because you aren't including enough details into what you're
> trying.
>
> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt
>
> In this case the IPA server is ipa1.example.com and you're creating a
> SAN for ipa.example.com.
>
> Restart httpd.
>
> Note that this doesn't solve the Kerberos problem so cli access will
> still not work as expected. The UI _might_ work using forms-based
> authentication.
>
> I'd strongly urge you to think about the top of this e-mail before
> proceeding onto the bottom.
>
> rob
>
>>
>> Cheers,
>>
>> Matt
>>
>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> When digging around I see this documentation:
>>>>
>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>>
>>>> I would except that server.example.com is not going to be accepted by
>>>> IPA when you visit the webgui like that ?
>>>
>>> These are SRV records for the ldap service. Think of it as discovery for
>>> who provides ldap service in the domain. It isn't something used by a
>>> web browser.
>>>
>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>>> think it should be example.com and not server.example.com. But in any
>>> case it is irrelevant to a browser.
>>>
>>> rob
>>>
>

More information about the Freeipa-users mailing list