OK some new update: When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a 301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt
But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my browser it just works fine. 2015-03-26 22:11 GMT+01:00 Matt . <[email protected]>: > Hi, > > This should be it and worked for generating the cert with the altname > ldap.domain.tld > > When I login and I go to services I get the following: > > cannot connect to > 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial': > (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: > requested domain name does not match the server's certificate. > > So I'm a little bit confused here as the certificate contains both hostnames. > > A simple wget says the ldap-01 doesn't exist also: > > https://ldap-01.domain.tld/ipa/json > Connecting to ldap-01.domain.tld > (ldap-01.domain.tld)|10.100.0.251|:443... connected. > ERROR: no certificate subject alternative name matches > requested host name 'ldap-01.domain.tld'. > To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'. > > > > 2015-03-26 20:43 GMT+01:00 Matt . <[email protected]>: >> Hi Rob, >> >> Thank you very much! >> >> I think this will work out as it's only https traffic. >> >> I will report back! >> >> Thanks a lot! >> >> Matt >> >> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <[email protected]>: >>> Matt . wrote: >>>> HI Rob, >>>> >>>> Yes something is wrong there I guess. >>> >>> In any case, it doesn't apply to what you're trying to do. >>> >>>> But still, I actually need to add a SAN to the webserver cert, which >>>> is different I think than the services at least. >>>> >>>> So the question there is... how ? >>> >>> What webserver cert? Are you trying to load balance the IPA services via >>> DNS? >>> >>> Not knowing what you want, I'm just answering what you are ASKING. That >>> is not the same as giving a proper answer. I have the feeling you want >>> to load balance IPA in general which isn't going to work without a ton >>> of (ongoing) manual effort. Even Microsoft recommends against trying >>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608 >>> >>> In any case, the instructions I've already provided still apply. >>> >>> If you want to replace the Apache webserver cert you'll just need to do >>> a couple of things first which has the potential of completely breaking >>> IPA, so you'll need to be careful. >>> >>> Before you do anything, backup *.db in /etc/httpd/alias. >>> >>> Stop tracking the Apache cert in certmonger: >>> >>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert >>> >>> Delete the existing cert: >>> >>> # certutil -D -d /etc/httpd/alias -n Server-Cert >>> >>> Like I said, destructive. >>> >>> Finally use certmonger to get a new cert that includes a SAN. The syntax >>> is slightly different than before, mostly because I'm just guessing in >>> the dark because you aren't including enough details into what you're >>> trying. >>> >>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com >>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt >>> >>> In this case the IPA server is ipa1.example.com and you're creating a >>> SAN for ipa.example.com. >>> >>> Restart httpd. >>> >>> Note that this doesn't solve the Kerberos problem so cli access will >>> still not work as expected. The UI _might_ work using forms-based >>> authentication. >>> >>> I'd strongly urge you to think about the top of this e-mail before >>> proceeding onto the bottom. >>> >>> rob >>> >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <[email protected]>: >>>>> Matt . wrote: >>>>>> When digging around I see this documentation: >>>>>> >>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html >>>>>> >>>>>> I would except that server.example.com is not going to be accepted by >>>>>> IPA when you visit the webgui like that ? >>>>> >>>>> These are SRV records for the ldap service. Think of it as discovery for >>>>> who provides ldap service in the domain. It isn't something used by a >>>>> web browser. >>>>> >>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd >>>>> think it should be example.com and not server.example.com. But in any >>>>> case it is irrelevant to a browser. >>>>> >>>>> rob >>>>> >>> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
