[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
Prasun Gera
prasun.gera at gmail.com
Mon May 1 09:39:58 UTC 2017
Any ideas why the replica's certs are not being tracked ? That looks like
an issue in itself. If they are not being tracked, the replica will fail
once they expire. Is there any way to fix the replica ?
On Sun, Apr 23, 2017 at 10:08 PM, Prasun Gera <prasun.gera at gmail.com> wrote:
> I tried that, but the replica's "getcert list" doesn't seem to show any
> results. "Number of certificates and requests being tracked: 0." Is that
> expected ?
>
> On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale <ftweedal at redhat.com>
> wrote:
>
>> On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote:
>> > Thank you. That worked for the master. How do I fix the replica's cert ?
>> > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using
>> > ipa's DNS at all. Did this happen because of that ?
>> >
>> This is not related to DNS.
>>
>> To fix the replica, log onto the host and perform the same steps
>> with Certmonger there. The tracking Request ID will be different
>> but otherwise the process is the same.
>>
>> Cheers,
>> Fraser
>>
>> > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale <ftweedal at redhat.com>
>> > wrote:
>> >
>> > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote:
>> > > > I can confirm that I see this behaviour too. My ipa server install
>> is a
>> > > > pretty stock install with no 3rd party certificates.
>> > > >
>> > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
>> > > > simon.williams at thehelpfulcat.com> wrote:
>> > > >
>> > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated
>> to
>> > > > > version 58.0.3029.81. It appears that this version of Chrome
>> will not
>> > > > > trust certificates based on Common Name. Looking at the Chrome
>> > > > > documentation and borne out by one of the messages, from Chrome
>> 58,
>> > > > > the subjectAltName is required to identify the DNS name of the
>> host
>> > > that
>> > > > > the certificate is issued for. I would be grateful if someone
>> could
>> > > point
>> > > > > me in the direction of how to recreate my SSL certificates so that
>> > > > > the subjectAltName is populated.
>> > > > >
>> > > > > Thanks in advance
>> > > > >
>> > > > > --
>> > > > > Manage your subscription for the Freeipa-users mailing list:
>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > Go to http://freeipa.org for more info on the project
>> > > > >
>> > > Which version of IPA are you using?
>> > >
>> > > The first thing you should do, which I think should be sufficient in
>> > > most cases, is to tell certmonger to submit a new cert request for
>> > > each affected certificate, instructing to include the relevant
>> > > DNSName in the subjectAltName extension in the CSR.
>> > >
>> > > To list certmonger tracking requests and look for the HTTPS
>> > > certificate. For example:
>> > >
>> > > $ getcert list
>> > > Number of certificate and requests being tracked: 11
>> > > ...
>> > > Request ID '20170418012901':
>> > > status: MONITORING
>> > > stuck: no
>> > > key pair storage: type=NSSDB,location='/etc/
>> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate
>> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > > certificate: type=NSSDB,location='/etc/
>> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> > > CA: IPA
>> > > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317
>> > > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317
>> > > expires: 2019-03-22 03:20:19 UTC
>> > > dns: f25-2.ipa.local
>> > > key usage: digitalSignature,nonRepudiatio
>> n,keyEncipherment,
>> > > dataEncipherment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth
>> > > pre-save command:
>> > > post-save command: /usr/libexec/ipa/certmonger/re
>> start_httpd
>> > > track: yes
>> > > auto-renew: yes
>> > > ...
>> > >
>> > > Using the Request ID of the HTTPS certificate, resubmit the request
>> > > but use the ``-D <hostname>`` option to specify a DNSName to include
>> > > in the SAN extension:
>> > >
>> > > $ getcert resubmit -i <Request ID> -D <hostname>
>> > >
>> > > ``-D <hostname>`` can be specified multiple times, if necessary.
>> > >
>> > > This should request a new certificate that will have the server DNS
>> > > name in the SAN extension.
>> > >
>> > > HTH,
>> > > Fraser
>> > >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170501/a637b449/attachment.htm>
More information about the Freeipa-users
mailing list