[Freeipa-users] subjectAlternitiveName for webservice

Fri Mar 27 17:57:24 UTC 2015

Matt . wrote:
> I'm almost there but what happens when I regenerate a certificate for
> the ldap server I get the following when I visit it through the
> loadbalancer:
> 
> no alternative certificate subject name matches target host name
> 'ldap-01.domain....'
> 
> I think this is strange as the certificate shows the ldap under the
> altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
> but only on the certificate itself.

It turns out that NSS implements cert checking very strictly following
RFC 2818 while OpenSSL is a bit more lax about it.

The RFC states that if there is a subjectAltName then only that is used
to validate the hostname. And in fact, it discourages using the subject
at all and ONLY relying on the subjectAltName, though it does recognize
that it is current practice (and was that way in 2000 as well).

So you need to request your new cert with TWO names: the host name and
the alternate name. That should make the cert work anyway.

rob

> 
> 
> 
> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> HI Rob,
>>>
>>> Yes something is wrong there I guess.
>>
>> In any case, it doesn't apply to what you're trying to do.
>>
>>> But still, I actually need to add a SAN to the webserver cert, which
>>> is different I think than the services at least.
>>>
>>> So the question there is... how ?
>>
>> What webserver cert? Are you trying to load balance the IPA services via
>> DNS?
>>
>> Not knowing what you want, I'm just answering what you are ASKING. That
>> is not the same as giving a proper answer. I have the feeling you want
>> to load balance IPA in general which isn't going to work without a ton
>> of (ongoing) manual effort. Even Microsoft recommends against trying
>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608
>>
>> In any case, the instructions I've already provided still apply.
>>
>> If you want to replace the Apache webserver cert you'll just need to do
>> a couple of things first which has the potential of completely breaking
>> IPA, so you'll need to be careful.
>>
>> Before you do anything, backup *.db in /etc/httpd/alias.
>>
>> Stop tracking the Apache cert in certmonger:
>>
>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert
>>
>> Delete the existing cert:
>>
>> # certutil -D -d /etc/httpd/alias -n Server-Cert
>>
>> Like I said, destructive.
>>
>> Finally use certmonger to get a new cert that includes a SAN. The syntax
>> is slightly different than before, mostly because I'm just guessing in
>> the dark because you aren't including enough details into what you're
>> trying.
>>
>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt
>>
>> In this case the IPA server is ipa1.example.com and you're creating a
>> SAN for ipa.example.com.
>>
>> Restart httpd.
>>
>> Note that this doesn't solve the Kerberos problem so cli access will
>> still not work as expected. The UI _might_ work using forms-based
>> authentication.
>>
>> I'd strongly urge you to think about the top of this e-mail before
>> proceeding onto the bottom.
>>
>> rob
>>
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> When digging around I see this documentation:
>>>>>
>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>>>
>>>>> I would except that server.example.com is not going to be accepted by
>>>>> IPA when you visit the webgui like that ?
>>>>
>>>> These are SRV records for the ldap service. Think of it as discovery for
>>>> who provides ldap service in the domain. It isn't something used by a
>>>> web browser.
>>>>
>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>>>> think it should be example.com and not server.example.com. But in any
>>>> case it is irrelevant to a browser.
>>>>
>>>> rob
>>>>
>>