<div dir="ltr">Hi,<div><br></div><div>I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName to work.</div><div>F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't work any more. Is there any chance 1.0.14 will make it in as an F24 update?</div><div>(I can add karma if needed)</div><div><br></div><div>-- john</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-25 19:26 GMT+02:00 John Obaterspok <span dir="ltr"><<a href="mailto:john.obaterspok@gmail.com" target="_blank">john.obaterspok@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Rob!<div><br></div><div>I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server and it works like a charm.</div><div><br></div><div>Thanks,</div><div><br></div><div> john</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-04-25 16:47 GMT+02:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">John Obaterspok wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
<br>
2016-02-11 1:34 GMT+01:00 Fraser Tweedale <<a href="mailto:ftweedal@redhat.com" target="_blank">ftweedal@redhat.com</a><br></span>
<mailto:<a href="mailto:ftweedal@redhat.com" target="_blank">ftweedal@redhat.com</a>>>:<span><br>
<br>
On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:<br>
> 2016-02-06 23:29 GMT+01:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></span>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>:<div><div><br>
><br>
> > John Obaterspok wrote:<br>
> ><br>
> >> Hi,<br>
> >><br>
> >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to<br>
ipa.my.lan<br>
> >><br>
> >> I recently started to get nss error "SSL peer has no<br>
certificate for the<br>
> >> requested DNS name." when I'm accesing my <a href="https://gitserver.my.lan" rel="noreferrer" target="_blank">https://gitserver.my.lan</a><br>
> >><br>
> >> Previously this worked fine if I had set "git config --global<br>
> >> http.sslVerify false" according to<br>
> >><br>
<a href="https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html</a><br>
> >><br>
> >> Now I tried to solve this by adding a SubjectAltName to the<br>
> >> HTTP/ipa.my.lan certitficate like this:<br>
> >><br>
> >> status: MONITORING<br>
> >> stuck: no<br>
> >> key pair storage:<br>
> >><br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> >> certificate:<br>
> >><br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> >> Certificate DB'<br>
> >> CA: IPA<br>
> >> issuer: CN=Certificate Authority,O=MY.LAN<br>
> >> subject: CN=ipa.my.lan,O=MY.LAN<br>
> >> expires: 2018-02-06 19:24:52 UTC<br>
> >> dns: gitserver.my.lan,ipa.my.lan<br>
> >> principal name: http/ipa.my.lan@MY.LAN<br>
> >> key usage:<br>
> >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> >> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> >> pre-save command:<br>
> >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>
> >> track: yes<br>
> >> auto-renew: yes<br>
> >><br>
> >> But I still get the below error:<br>
> >><br>
> >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)<br>
> >> * SSL peer has no certificate for the requested DNS name<br>
> >><br>
> ><br>
> > What version of mod_nss? It recently added support for SNI. You<br>
can try<br>
> > turning it off by adding NSSSNI off to<br>
/etc/httpd/conf.d/nss.conf but I'd<br>
> > imagine you were already relying on it.<br>
> ><br>
> ><br>
> Hi,<br>
><br>
> Turning it off didn't help<br>
><br>
> I'm on F23 with latest updates so I have mod_nss-1.0.12-1<br>
> I noticed it worked if I set "ServerName gitserver.my.lan" in<br>
> gitserver.conf, but then I got the NAME ALERT when accessing<br>
ipa.my.lan.<br>
><br>
> I then tried to put ipa.conf in <VirtualHost *:443> but then I<br>
got error<br>
> about SSL_ERROR_RX_RECORD_TOO_LONG<br>
><br>
> gitserver.conf has this:<br>
><br>
> <VirtualHost *:443><br>
> DocumentRoot /opt/wwwgit<br>
> SetEnv GIT_PROJECT_ROOT /opt/wwwgit<br>
> SetEnv GIT_HTTP_EXPORT_ALL<br>
> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER<br>
> ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/<br>
><br>
> ServerName gitserver.my.lan<br>
><br>
> <Directory "/usr/libexec/git-core"><br>
> Options Indexes<br>
> AllowOverride None<br>
> Require all granted<br>
> </Directory><br>
><br>
> <Directory "/opt/wwwgit"><br>
> Options Indexes<br>
> AllowOverride None<br>
> Require all granted<br>
> </Directory><br>
><br>
> <LocationMatch "/git/"><br>
> #SSLRequireSSL<br>
> AuthType Kerberos<br>
> AuthName "Kerberos Login"<br>
> KrbAuthRealm MY.LAN<br>
> Krb5KeyTab /etc/httpd/conf/ipa.keytab<br>
> KrbMethodNegotiate on<br>
> KrbMethodK5Passwd off # Set to on to query for pwd if<br>
negotiation<br>
> failed due to no ticket available<br>
> KrbSaveCredentials on<br>
> KrbVerifyKDC on<br>
> KrbServiceName HTTP/ipa.my.lan@MY.LAN<br>
><br>
> AuthLDAPUrl<br>
ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName<br>
> AuthLDAPBindDN<br>
"uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"<br>
> AuthLDAPBindPassword "secret123abc"<br>
> Require ldap-group<br>
cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan<br>
> </LocationMatch><br>
><br>
> </VirtualHost><br>
><br>
><br>
> Any more ideas what I do wrong?<br>
<br>
It was suggested that this may be due to the certificate not being<br>
compliant with RFC 2818. This is likely true, but I think it is not<br>
likely to be the problem. You can use `openssl s_client` to confirm<br>
what certificate the server is sending:<br>
<br>
openssl s_client -showcerts \<br>
-servername gitserver.my.lan -connect gitserver.my.lan:443<br>
<br>
This will dump the certificates (in PEM format), which you can copy<br>
to a file examine with `opeenssl x509 -text < cert.pem`.<br>
<br>
Feel free to reply with the output; I am happy to have a closer<br>
look.<br>
<br>
Hi Fraser,<br>
<br>
*cough*, I didn't see this until now :)<br>
<br>
Anyway,<br>
<br>
[admin@ipa ~]$ openssl s_client -showcerts -servername gitserver.my.lan<br>
-connect gitserver.my.lan:443<br>
CONNECTED(00000003)<br>
140404557162360:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1<br>
unrecognized name:s23_clnt.c:769:<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 7 bytes and written 227 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : 0000<br>
Session-ID:<br>
Session-ID-ctx:<br>
Master-Key:<br>
Key-Arg : None<br>
Krb5 Principal: None<br>
PSK identity: None<br>
PSK identity hint: None<br>
Start Time: 1461568003<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)<br>
---<br>
<br>
<br>
[root@ipa ~]# ipa-getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20160206184156':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/dirsrv/slapd-MY-LAN/pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=my.lan<br>
subject: CN=ipa.my.lan,O=my.lan<br>
expires: 2017-12-23 22:50:30 UTC<br>
principal name: ldap/ipa.my.lan@my.lan<br>
key usage:<br>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MY-LAN<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20160206192447':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=my.lan<br>
subject: CN=ipa.my.lan,O=my.lan<br>
expires: 2018-02-06 19:24:52 UTC<br></div></div>
*dns: gitserver.my.lan,ipa.my.lan*<span><br>
principal name: http/ipa.my.lan@my.lan<br>
key usage:<br>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
<br>
<br>
Any ideas?<br>
</span></blockquote>
<br>
It's a bug in mod_nss 1.0.12. It shouldn't return a hard failure, it should use the default VH instead (this was fixed in 1.0.13). I filed <a href="https://bugzilla.redhat.com/show_bug.cgi?id=133018" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=133018</a><span><font color="#888888"><br>
<br>
rob<br>
<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>