[Freeipa-users] nss unrecognized name alert with SAN name

Thu Feb 11 00:34:08 UTC 2016

On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
> 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> 
> > John Obaterspok wrote:
> >
> >> Hi,
> >>
> >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan
> >>
> >> I recently started to get nss error "SSL peer has no certificate for the
> >> requested DNS name." when I'm accesing my https://gitserver.my.lan
> >>
> >> Previously this worked fine if I had set "git config --global
> >> http.sslVerify false" according to
> >> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
> >>
> >> Now I tried to solve this by adding a SubjectAltName to the
> >> HTTP/ipa.my.lan certitficate like this:
> >>
> >> status: MONITORING
> >> stuck: no
> >> key pair storage:
> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >> certificate:
> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >> Certificate DB'
> >> CA: IPA
> >> issuer: CN=Certificate Authority,O=MY.LAN
> >> subject: CN=ipa.my.lan,O=MY.LAN
> >> expires: 2018-02-06 19:24:52 UTC
> >> dns: gitserver.my.lan,ipa.my.lan
> >> principal name: http/ipa.my.lan at MY.LAN
> >> key usage:
> >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >> eku: id-kp-serverAuth,id-kp-clientAuth
> >> pre-save command:
> >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> >> track: yes
> >> auto-renew: yes
> >>
> >> But I still get the below error:
> >>
> >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
> >> * SSL peer has no certificate for the requested DNS name
> >>
> >
> > What version of mod_nss? It recently added support for SNI. You can try
> > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd
> > imagine you were already relying on it.
> >
> >
> Hi,
> 
> Turning it off didn't help
> 
> I'm on F23 with latest updates so I have mod_nss-1.0.12-1
> I noticed it worked if I set "ServerName gitserver.my.lan" in
> gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.
> 
> I then tried to put ipa.conf in <VirtualHost *:443> but then I got error
> about SSL_ERROR_RX_RECORD_TOO_LONG
> 
> gitserver.conf has this:
> 
> <VirtualHost *:443>
>         DocumentRoot /opt/wwwgit
>         SetEnv GIT_PROJECT_ROOT /opt/wwwgit
>         SetEnv GIT_HTTP_EXPORT_ALL
>         SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>         ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
> 
>         ServerName gitserver.my.lan
> 
>       <Directory "/usr/libexec/git-core">
>           Options Indexes
>           AllowOverride None
>           Require all granted
>      </Directory>
> 
>      <Directory "/opt/wwwgit">
>           Options Indexes
>           AllowOverride None
>           Require all granted
>      </Directory>
> 
> <LocationMatch "/git/">
>           #SSLRequireSSL
>           AuthType Kerberos
>           AuthName "Kerberos Login"
>           KrbAuthRealm WIN.LAN
>           Krb5KeyTab /etc/httpd/conf/ipa.keytab
>           KrbMethodNegotiate on
>           KrbMethodK5Passwd off # Set to on to query for pwd if negotiation
> failed due to no ticket available
>           KrbSaveCredentials on
>           KrbVerifyKDC on
>           KrbServiceName HTTP/ipa.my.lan at MY.LAN
> 
>           AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
>           AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
>           AuthLDAPBindPassword "secret123abc"
>           Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
>      </LocationMatch>
> 
> </VirtualHost>
> 
> 
> Any more ideas what I do wrong?

It was suggested that this may be due to the certificate not being
compliant with RFC 2818.  This is likely true, but I think it is not
likely to be the problem.  You can use `openssl s_client` to confirm
what certificate the server is sending:

    openssl s_client -showcerts \
        -servername gitserver.my.lan -connect gitserver.my.lan:443

This will dump the certificates (in PEM format), which you can copy
to a file examine with `opeenssl x509 -text < cert.pem`.

Feel free to reply with the output; I am happy to have a closer
look.

Cheers,
Fraser