[Freeipa-users] subjectAlternitiveName for webservice

Matt . yamakasi.014 at gmail.com
Sat Mar 28 09:17:47 UTC 2015 

Rob,

As I was responding a little bit late last night, the following come to mind.

As you say I need to request my cert with two names, how do you mean ?
I'm using curl at the moment so figuring that out.

As the same issues happens in the GUI itself I think this might be a
problem. When I access ldap-01 directly it complains @ the services
tab on some servicehosts that are in there, and some not.

I think this is not a simple PTR or A record fix, I'm curious how to do.

Cheers,

Matt

2015-03-27 18:57 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> I'm almost there but what happens when I regenerate a certificate for
>> the ldap server I get the following when I visit it through the
>> loadbalancer:
>>
>> no alternative certificate subject name matches target host name
>> 'ldap-01.domain....'
>>
>> I think this is strange as the certificate shows the ldap under the
>> altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
>> but only on the certificate itself.
>
> It turns out that NSS implements cert checking very strictly following
> RFC 2818 while OpenSSL is a bit more lax about it.
>
> The RFC states that if there is a subjectAltName then only that is used
> to validate the hostname. And in fact, it discourages using the subject
> at all and ONLY relying on the subjectAltName, though it does recognize
> that it is current practice (and was that way in 2000 as well).
>
> So you need to request your new cert with TWO names: the host name and
> the alternate name. That should make the cert work anyway.
>
> rob
>
>>
>>
>>
>> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> HI Rob,
>>>>
>>>> Yes something is wrong there I guess.
>>>
>>> In any case, it doesn't apply to what you're trying to do.
>>>
>>>> But still, I actually need to add a SAN to the webserver cert, which
>>>> is different I think than the services at least.
>>>>
>>>> So the question there is... how ?
>>>
>>> What webserver cert? Are you trying to load balance the IPA services via
>>> DNS?
>>>
>>> Not knowing what you want, I'm just answering what you are ASKING. That
>>> is not the same as giving a proper answer. I have the feeling you want
>>> to load balance IPA in general which isn't going to work without a ton
>>> of (ongoing) manual effort. Even Microsoft recommends against trying
>>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608
>>>
>>> In any case, the instructions I've already provided still apply.
>>>
>>> If you want to replace the Apache webserver cert you'll just need to do
>>> a couple of things first which has the potential of completely breaking
>>> IPA, so you'll need to be careful.
>>>
>>> Before you do anything, backup *.db in /etc/httpd/alias.
>>>
>>> Stop tracking the Apache cert in certmonger:
>>>
>>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert
>>>
>>> Delete the existing cert:
>>>
>>> # certutil -D -d /etc/httpd/alias -n Server-Cert
>>>
>>> Like I said, destructive.
>>>
>>> Finally use certmonger to get a new cert that includes a SAN. The syntax
>>> is slightly different than before, mostly because I'm just guessing in
>>> the dark because you aren't including enough details into what you're
>>> trying.
>>>
>>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
>>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt
>>>
>>> In this case the IPA server is ipa1.example.com and you're creating a
>>> SAN for ipa.example.com.
>>>
>>> Restart httpd.
>>>
>>> Note that this doesn't solve the Kerberos problem so cli access will
>>> still not work as expected. The UI _might_ work using forms-based
>>> authentication.
>>>
>>> I'd strongly urge you to think about the top of this e-mail before
>>> proceeding onto the bottom.
>>>
>>> rob
>>>
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> When digging around I see this documentation:
>>>>>>
>>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>>>>
>>>>>> I would except that server.example.com is not going to be accepted by
>>>>>> IPA when you visit the webgui like that ?
>>>>>
>>>>> These are SRV records for the ldap service. Think of it as discovery for
>>>>> who provides ldap service in the domain. It isn't something used by a
>>>>> web browser.
>>>>>
>>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>>>>> think it should be example.com and not server.example.com. But in any
>>>>> case it is irrelevant to a browser.
>>>>>
>>>>> rob
>>>>>
>>>
>

More information about the Freeipa-users mailing list