[Freeipa-users] subjectAlternitiveName for webservice
Matt .
yamakasi.014 at gmail.com
Sat Mar 28 09:52:23 UTC 2015
Rob,
I just saw your message on IRC from a couple of hours ago... timedifference ;)
Thanks,
Matt
2015-03-28 10:17 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> Rob,
>
> As I was responding a little bit late last night, the following come to mind.
>
> As you say I need to request my cert with two names, how do you mean ?
> I'm using curl at the moment so figuring that out.
>
> As the same issues happens in the GUI itself I think this might be a
> problem. When I access ldap-01 directly it complains @ the services
> tab on some servicehosts that are in there, and some not.
>
> I think this is not a simple PTR or A record fix, I'm curious how to do.
>
> Cheers,
>
> Matt
>
> 2015-03-27 18:57 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> I'm almost there but what happens when I regenerate a certificate for
>>> the ldap server I get the following when I visit it through the
>>> loadbalancer:
>>>
>>> no alternative certificate subject name matches target host name
>>> 'ldap-01.domain....'
>>>
>>> I think this is strange as the certificate shows the ldap under the
>>> altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
>>> but only on the certificate itself.
>>
>> It turns out that NSS implements cert checking very strictly following
>> RFC 2818 while OpenSSL is a bit more lax about it.
>>
>> The RFC states that if there is a subjectAltName then only that is used
>> to validate the hostname. And in fact, it discourages using the subject
>> at all and ONLY relying on the subjectAltName, though it does recognize
>> that it is current practice (and was that way in 2000 as well).
>>
>> So you need to request your new cert with TWO names: the host name and
>> the alternate name. That should make the cert work anyway.
>>
>> rob
>>
>>>
>>>
>>>
>>> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> HI Rob,
>>>>>
>>>>> Yes something is wrong there I guess.
>>>>
>>>> In any case, it doesn't apply to what you're trying to do.
>>>>
>>>>> But still, I actually need to add a SAN to the webserver cert, which
>>>>> is different I think than the services at least.
>>>>>
>>>>> So the question there is... how ?
>>>>
>>>> What webserver cert? Are you trying to load balance the IPA services via
>>>> DNS?
>>>>
>>>> Not knowing what you want, I'm just answering what you are ASKING. That
>>>> is not the same as giving a proper answer. I have the feeling you want
>>>> to load balance IPA in general which isn't going to work without a ton
>>>> of (ongoing) manual effort. Even Microsoft recommends against trying
>>>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608
>>>>
>>>> In any case, the instructions I've already provided still apply.
>>>>
>>>> If you want to replace the Apache webserver cert you'll just need to do
>>>> a couple of things first which has the potential of completely breaking
>>>> IPA, so you'll need to be careful.
>>>>
>>>> Before you do anything, backup *.db in /etc/httpd/alias.
>>>>
>>>> Stop tracking the Apache cert in certmonger:
>>>>
>>>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert
>>>>
>>>> Delete the existing cert:
>>>>
>>>> # certutil -D -d /etc/httpd/alias -n Server-Cert
>>>>
>>>> Like I said, destructive.
>>>>
>>>> Finally use certmonger to get a new cert that includes a SAN. The syntax
>>>> is slightly different than before, mostly because I'm just guessing in
>>>> the dark because you aren't including enough details into what you're
>>>> trying.
>>>>
>>>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
>>>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt
>>>>
>>>> In this case the IPA server is ipa1.example.com and you're creating a
>>>> SAN for ipa.example.com.
>>>>
>>>> Restart httpd.
>>>>
>>>> Note that this doesn't solve the Kerberos problem so cli access will
>>>> still not work as expected. The UI _might_ work using forms-based
>>>> authentication.
>>>>
>>>> I'd strongly urge you to think about the top of this e-mail before
>>>> proceeding onto the bottom.
>>>>
>>>> rob
>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>>> Matt . wrote:
>>>>>>> When digging around I see this documentation:
>>>>>>>
>>>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
>>>>>>>
>>>>>>> I would except that server.example.com is not going to be accepted by
>>>>>>> IPA when you visit the webgui like that ?
>>>>>>
>>>>>> These are SRV records for the ldap service. Think of it as discovery for
>>>>>> who provides ldap service in the domain. It isn't something used by a
>>>>>> web browser.
>>>>>>
>>>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>>>>>> think it should be example.com and not server.example.com. But in any
>>>>>> case it is irrelevant to a browser.
>>>>>>
>>>>>> rob
>>>>>>
>>>>
>>
More information about the Freeipa-users
mailing list