[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

Prasun Gera prasun.gera at gmail.com
Sun Apr 23 07:32:19 UTC 2017 

Thank you. That worked for the master. How do I fix the replica's cert ?
This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using
ipa's DNS at all. Did this happen because of that ?

On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale <ftweedal at redhat.com>
wrote:

> On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote:
> > I can confirm that I see this behaviour too. My ipa server install is a
> > pretty stock install with no 3rd party certificates.
> >
> > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
> > simon.williams at thehelpfulcat.com> wrote:
> >
> > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to
> > > version 58.0.3029.81.  It appears that this version of Chrome will not
> > > trust certificates based on Common Name.  Looking at the Chrome
> > > documentation and borne out by one of the messages, from Chrome 58,
> > > the subjectAltName is required to identify the DNS name of the host
> that
> > > the certificate is issued for.  I would be grateful if someone could
> point
> > > me in the direction of how to recreate my SSL certificates so that
> > > the subjectAltName is populated.
> > >
> > > Thanks in advance
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
> Which version of IPA are you using?
>
> The first thing you should do, which I think should be sufficient in
> most cases, is to tell certmonger to submit a new cert request for
> each affected certificate, instructing to include the relevant
> DNSName in the subjectAltName extension in the CSR.
>
> To list certmonger tracking requests and look for the HTTPS
> certificate.  For example:
>
>     $ getcert list
>     Number of certificate and requests being tracked: 11
>     ...
>     Request ID '20170418012901':
>             status: MONITORING
>             stuck: no
>             key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>             certificate: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>             CA: IPA
>             issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317
>             subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317
>             expires: 2019-03-22 03:20:19 UTC
>             dns: f25-2.ipa.local
>             key usage: digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
>             eku: id-kp-serverAuth,id-kp-clientAuth
>             pre-save command:
>             post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>             track: yes
>             auto-renew: yes
>     ...
>
> Using the Request ID of the HTTPS certificate, resubmit the request
> but use the ``-D <hostname>`` option to specify a DNSName to include
> in the SAN extension:
>
>   $ getcert resubmit -i <Request ID> -D <hostname>
>
> ``-D <hostname>`` can be specified multiple times, if necessary.
>
> This should request a new certificate that will have the server DNS
> name in the SAN extension.
>
> HTH,
> Fraser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170423/3f4034b3/attachment.htm>

More information about the Freeipa-users mailing list