Rob, I just saw your message on IRC from a couple of hours ago... timedifference ;)
Thanks, Matt 2015-03-28 10:17 GMT+01:00 Matt . <[email protected]>: > Rob, > > As I was responding a little bit late last night, the following come to mind. > > As you say I need to request my cert with two names, how do you mean ? > I'm using curl at the moment so figuring that out. > > As the same issues happens in the GUI itself I think this might be a > problem. When I access ldap-01 directly it complains @ the services > tab on some servicehosts that are in there, and some not. > > I think this is not a simple PTR or A record fix, I'm curious how to do. > > Cheers, > > Matt > > 2015-03-27 18:57 GMT+01:00 Rob Crittenden <[email protected]>: >> Matt . wrote: >>> I'm almost there but what happens when I regenerate a certificate for >>> the ldap server I get the following when I visit it through the >>> loadbalancer: >>> >>> no alternative certificate subject name matches target host name >>> 'ldap-01.domain....' >>> >>> I think this is strange as the certificate shows the ldap under the >>> altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname >>> but only on the certificate itself. >> >> It turns out that NSS implements cert checking very strictly following >> RFC 2818 while OpenSSL is a bit more lax about it. >> >> The RFC states that if there is a subjectAltName then only that is used >> to validate the hostname. And in fact, it discourages using the subject >> at all and ONLY relying on the subjectAltName, though it does recognize >> that it is current practice (and was that way in 2000 as well). >> >> So you need to request your new cert with TWO names: the host name and >> the alternate name. That should make the cert work anyway. >> >> rob >> >>> >>> >>> >>> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <[email protected]>: >>>> Matt . wrote: >>>>> HI Rob, >>>>> >>>>> Yes something is wrong there I guess. >>>> >>>> In any case, it doesn't apply to what you're trying to do. >>>> >>>>> But still, I actually need to add a SAN to the webserver cert, which >>>>> is different I think than the services at least. >>>>> >>>>> So the question there is... how ? >>>> >>>> What webserver cert? Are you trying to load balance the IPA services via >>>> DNS? >>>> >>>> Not knowing what you want, I'm just answering what you are ASKING. That >>>> is not the same as giving a proper answer. I have the feeling you want >>>> to load balance IPA in general which isn't going to work without a ton >>>> of (ongoing) manual effort. Even Microsoft recommends against trying >>>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608 >>>> >>>> In any case, the instructions I've already provided still apply. >>>> >>>> If you want to replace the Apache webserver cert you'll just need to do >>>> a couple of things first which has the potential of completely breaking >>>> IPA, so you'll need to be careful. >>>> >>>> Before you do anything, backup *.db in /etc/httpd/alias. >>>> >>>> Stop tracking the Apache cert in certmonger: >>>> >>>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert >>>> >>>> Delete the existing cert: >>>> >>>> # certutil -D -d /etc/httpd/alias -n Server-Cert >>>> >>>> Like I said, destructive. >>>> >>>> Finally use certmonger to get a new cert that includes a SAN. The syntax >>>> is slightly different than before, mostly because I'm just guessing in >>>> the dark because you aren't including enough details into what you're >>>> trying. >>>> >>>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com >>>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt >>>> >>>> In this case the IPA server is ipa1.example.com and you're creating a >>>> SAN for ipa.example.com. >>>> >>>> Restart httpd. >>>> >>>> Note that this doesn't solve the Kerberos problem so cli access will >>>> still not work as expected. The UI _might_ work using forms-based >>>> authentication. >>>> >>>> I'd strongly urge you to think about the top of this e-mail before >>>> proceeding onto the bottom. >>>> >>>> rob >>>> >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <[email protected]>: >>>>>> Matt . wrote: >>>>>>> When digging around I see this documentation: >>>>>>> >>>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html >>>>>>> >>>>>>> I would except that server.example.com is not going to be accepted by >>>>>>> IPA when you visit the webgui like that ? >>>>>> >>>>>> These are SRV records for the ldap service. Think of it as discovery for >>>>>> who provides ldap service in the domain. It isn't something used by a >>>>>> web browser. >>>>>> >>>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd >>>>>> think it should be example.com and not server.example.com. But in any >>>>>> case it is irrelevant to a browser. >>>>>> >>>>>> rob >>>>>> >>>> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
