[Freeipa-users] nss unrecognized name alert with SAN name
John Obaterspok
john.obaterspok at gmail.com
Sun Feb 7 11:05:19 UTC 2016
2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> John Obaterspok wrote:
>
>> Hi,
>>
>> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan
>>
>> I recently started to get nss error "SSL peer has no certificate for the
>> requested DNS name." when I'm accesing my https://gitserver.my.lan
>>
>> Previously this worked fine if I had set "git config --global
>> http.sslVerify false" according to
>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>>
>> Now I tried to solve this by adding a SubjectAltName to the
>> HTTP/ipa.my.lan certitficate like this:
>>
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MY.LAN
>> subject: CN=ipa.my.lan,O=MY.LAN
>> expires: 2018-02-06 19:24:52 UTC
>> dns: gitserver.my.lan,ipa.my.lan
>> principal name: http/ipa.my.lan at MY.LAN
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>> But I still get the below error:
>>
>> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
>> * SSL peer has no certificate for the requested DNS name
>>
>
> What version of mod_nss? It recently added support for SNI. You can try
> turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd
> imagine you were already relying on it.
>
>
Hi,
Turning it off didn't help
I'm on F23 with latest updates so I have mod_nss-1.0.12-1
I noticed it worked if I set "ServerName gitserver.my.lan" in
gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.
I then tried to put ipa.conf in <VirtualHost *:443> but then I got error
about SSL_ERROR_RX_RECORD_TOO_LONG
gitserver.conf has this:
<VirtualHost *:443>
DocumentRoot /opt/wwwgit
SetEnv GIT_PROJECT_ROOT /opt/wwwgit
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
ServerName gitserver.my.lan
<Directory "/usr/libexec/git-core">
Options Indexes
AllowOverride None
Require all granted
</Directory>
<Directory "/opt/wwwgit">
Options Indexes
AllowOverride None
Require all granted
</Directory>
<LocationMatch "/git/">
#SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm WIN.LAN
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off # Set to on to query for pwd if negotiation
failed due to no ticket available
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName HTTP/ipa.my.lan at MY.LAN
AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
AuthLDAPBindPassword "secret123abc"
Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
</LocationMatch>
</VirtualHost>
Any more ideas what I do wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160207/f4ca6519/attachment.htm>
More information about the Freeipa-users
mailing list