<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">2016-02-06 23:29 GMT+01:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">John Obaterspok wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi,<br>
<br>
I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan<br>
<br>
I recently started to get nss error "SSL peer has no certificate for the<br>
requested DNS name." when I'm accesing my <a href="https://gitserver.my.lan" rel="noreferrer" target="_blank">https://gitserver.my.lan</a><br>
<br>
Previously this worked fine if I had set "git config --global<br>
http.sslVerify false" according to<br>
<a href="https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html</a><br>
<br>
Now I tried to solve this by adding a SubjectAltName to the<br>
HTTP/ipa.my.lan certitficate like this:<br>
<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=MY.LAN<br>
subject: CN=ipa.my.lan,O=MY.LAN<br>
expires: 2018-02-06 19:24:52 UTC<br>
dns: gitserver.my.lan,ipa.my.lan<br>
principal name: http/ipa.my.lan@MY.LAN<br>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
<br>
But I still get the below error:<br>
<br>
* NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)<br>
* SSL peer has no certificate for the requested DNS name<br>
</blockquote>
<br></div></div><div class=""><div class="h5">
What version of mod_nss? It recently added support for SNI. You can try turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd imagine you were already relying on it.<br>
<br></div></div></blockquote><div><br></div><div>Hi, </div><div> </div><div>Turning it off didn't help</div><div><br></div><div>I'm on F23 with latest updates so I have mod_nss-1.0.12-1</div><div>I noticed it worked if I set "ServerName gitserver.my.lan" in gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.</div><div><br></div><div>I then tried to put ipa.conf in <VirtualHost *:443> but then I got error about SSL_ERROR_RX_RECORD_TOO_LONG</div><div><br></div><div>gitserver.conf has this:</div><div><br></div><div>















<p class=""><span class=""><VirtualHost *:443><br></span>        DocumentRoot /opt/wwwgit<br>        SetEnv GIT_PROJECT_ROOT /opt/wwwgit<br>        SetEnv GIT_HTTP_EXPORT_ALL<br>        SetEnv REMOTE_USER $REDIRECT_REMOTE_USER <br>        ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/</p>
<p class=""><span class="">        ServerName gitserver.my.lan</span></p>
<p class=""><span class="">      <Directory "/usr/libexec/git-core"><br></span>          Options Indexes<br>          AllowOverride None<br>          Require all granted<br>     </Directory></p>
<p class=""><span class="">     <Directory "/opt/wwwgit"><br></span>          Options Indexes<br>          AllowOverride None<br>          Require all granted<br>     </Directory></p>
<p class=""><span class=""><LocationMatch "/git/"><br></span>          #SSLRequireSSL<br>          AuthType Kerberos <br>          AuthName "Kerberos Login"<br>          KrbAuthRealm WIN.LAN<br>          Krb5KeyTab /etc/httpd/conf/ipa.keytab<br>          KrbMethodNegotiate on <br>          KrbMethodK5Passwd off # Set to on to query for pwd if negotiation failed due to no ticket available<br>          KrbSaveCredentials on <br>          KrbVerifyKDC on <br>          KrbServiceName HTTP/ipa.my.lan@MY.LAN</p>
<p class=""><span class="">          AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName<br></span>          AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"<br>          AuthLDAPBindPassword "secret123abc"<br>          Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan<br>     </LocationMatch></p>
<p class=""><span class=""></VirtualHost></span></p>
<p class=""><br><span class=""></span></p><p class="">Any more ideas what I do wrong?</p></div></div></div></div>