[Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
Maciej Drobniuch
md at collective-sense.com
Tue Jan 3 15:14:15 UTC 2017
Hello Mike,
I don't know if I'm aligned with your problem, but generally I was facing a
SAN cert issue too.
Not sure if you're terminating SSL/TLS on the load balancer or not?
Usually I do SAN certs in IPA via GUI/IdM.
I am adding a service and hosts assigned to that service.
Every host has an additional https service.
Then I am simply pasting the SAN csr into the host that owns the main
service and this creates a signed SAN cert that you can upload later to
your LB.
In simple words the service is assigned to all hosts but those hosts have
also a service added(this is a hack).
Hope that makes sense and helps solving your problem.
BR
On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> I am trying to get FreeIPA LDAP to work when behind a load balancer and
> using SSL and I do not understand how I am supposed to get the server to
> use a certificate I created that has a SAN created.
>
> FreeIPA 4.4.0 on CentOS 7
>
> Here is what I have:
> ipa-master.dev.crosschx.com - master
> ipa-replica.dev.crosschx.com - replica
> ipa.dev.crosschx.com - load balancer DNS name which point to the master
> and replica servers
>
> Here is what I have done.
> ipa host-add ipa.dev.crosschx.com --random --force
>
> ipa service-add --force ldap/ipa.dev.crosschx.com
>
> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={ipa-master.dev.
> crosschx.com,ipa-replica.dev.crosschx.com}
>
> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin
>
> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
> -K ldap/ipa-master.dev.crosschx.com
>
>
> I can see the certificate is being monitored by IPA when I run ipa-getcert
> list but I am lost at the step to have this cert put into the database so
> that IPA will properly respond when I try to connect over LDAPS.
>
> I was testing the connection with the following command and I see the the
> ipa-master.dev cert being served.
>
> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
> ipa.dev.crosschx.com
>
> Can you point me to the documentation I need to follow?
>
> Thank you.
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614-741-5475 <(614)%20741-5475>
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170103/27d3984d/attachment.htm>
More information about the Freeipa-users
mailing list