[Freeipa-users] nss unrecognized name alert with SAN name
Fraser Tweedale
ftweedal at redhat.com
Thu Feb 11 00:34:08 UTC 2016
On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
> 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>
> > John Obaterspok wrote:
> >
> >> Hi,
> >>
> >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan
> >>
> >> I recently started to get nss error "SSL peer has no certificate for the
> >> requested DNS name." when I'm accesing my https://gitserver.my.lan
> >>
> >> Previously this worked fine if I had set "git config --global
> >> http.sslVerify false" according to
> >> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
> >>
> >> Now I tried to solve this by adding a SubjectAltName to the
> >> HTTP/ipa.my.lan certitficate like this:
> >>
> >> status: MONITORING
> >> stuck: no
> >> key pair storage:
> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >> certificate:
> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >> Certificate DB'
> >> CA: IPA
> >> issuer: CN=Certificate Authority,O=MY.LAN
> >> subject: CN=ipa.my.lan,O=MY.LAN
> >> expires: 2018-02-06 19:24:52 UTC
> >> dns: gitserver.my.lan,ipa.my.lan
> >> principal name: http/ipa.my.lan at MY.LAN
> >> key usage:
> >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >> eku: id-kp-serverAuth,id-kp-clientAuth
> >> pre-save command:
> >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> >> track: yes
> >> auto-renew: yes
> >>
> >> But I still get the below error:
> >>
> >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
> >> * SSL peer has no certificate for the requested DNS name
> >>
> >
> > What version of mod_nss? It recently added support for SNI. You can try
> > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd
> > imagine you were already relying on it.
> >
> >
> Hi,
>
> Turning it off didn't help
>
> I'm on F23 with latest updates so I have mod_nss-1.0.12-1
> I noticed it worked if I set "ServerName gitserver.my.lan" in
> gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.
>
> I then tried to put ipa.conf in <VirtualHost *:443> but then I got error
> about SSL_ERROR_RX_RECORD_TOO_LONG
>
> gitserver.conf has this:
>
> <VirtualHost *:443>
> DocumentRoot /opt/wwwgit
> SetEnv GIT_PROJECT_ROOT /opt/wwwgit
> SetEnv GIT_HTTP_EXPORT_ALL
> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
>
> ServerName gitserver.my.lan
>
> <Directory "/usr/libexec/git-core">
> Options Indexes
> AllowOverride None
> Require all granted
> </Directory>
>
> <Directory "/opt/wwwgit">
> Options Indexes
> AllowOverride None
> Require all granted
> </Directory>
>
> <LocationMatch "/git/">
> #SSLRequireSSL
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbAuthRealm WIN.LAN
> Krb5KeyTab /etc/httpd/conf/ipa.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd off # Set to on to query for pwd if negotiation
> failed due to no ticket available
> KrbSaveCredentials on
> KrbVerifyKDC on
> KrbServiceName HTTP/ipa.my.lan at MY.LAN
>
> AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
> AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
> AuthLDAPBindPassword "secret123abc"
> Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
> </LocationMatch>
>
> </VirtualHost>
>
>
> Any more ideas what I do wrong?
It was suggested that this may be due to the certificate not being
compliant with RFC 2818. This is likely true, but I think it is not
likely to be the problem. You can use `openssl s_client` to confirm
what certificate the server is sending:
openssl s_client -showcerts \
-servername gitserver.my.lan -connect gitserver.my.lan:443
This will dump the certificates (in PEM format), which you can copy
to a file examine with `opeenssl x509 -text < cert.pem`.
Feel free to reply with the output; I am happy to have a closer
look.
Cheers,
Fraser
More information about the Freeipa-users
mailing list