[Freeipa-users] nss unrecognized name alert with SAN name
Rob Crittenden
rcritten at redhat.com
Sat Feb 6 22:29:33 UTC 2016
John Obaterspok wrote:
> Hi,
>
> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan
>
> I recently started to get nss error "SSL peer has no certificate for the
> requested DNS name." when I'm accesing my https://gitserver.my.lan
>
> Previously this worked fine if I had set "git config --global
> http.sslVerify false" according to
> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>
> Now I tried to solve this by adding a SubjectAltName to the
> HTTP/ipa.my.lan certitficate like this:
>
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MY.LAN
> subject: CN=ipa.my.lan,O=MY.LAN
> expires: 2018-02-06 19:24:52 UTC
> dns: gitserver.my.lan,ipa.my.lan
> principal name: http/ipa.my.lan at MY.LAN
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> But I still get the below error:
>
> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
> * SSL peer has no certificate for the requested DNS name
What version of mod_nss? It recently added support for SNI. You can try
turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but
I'd imagine you were already relying on it.
rob
More information about the Freeipa-users
mailing list