Thank you. That worked for the master. How do I fix the replica's cert ? This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using ipa's DNS at all. Did this happen because of that ?
On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale <[email protected]> wrote: > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > > I can confirm that I see this behaviour too. My ipa server install is a > > pretty stock install with no 3rd party certificates. > > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > > [email protected]> wrote: > > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > > version 58.0.3029.81. It appears that this version of Chrome will not > > > trust certificates based on Common Name. Looking at the Chrome > > > documentation and borne out by one of the messages, from Chrome 58, > > > the subjectAltName is required to identify the DNS name of the host > that > > > the certificate is issued for. I would be grateful if someone could > point > > > me in the direction of how to recreate my SSL certificates so that > > > the subjectAltName is populated. > > > > > > Thanks in advance > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > Which version of IPA are you using? > > The first thing you should do, which I think should be sufficient in > most cases, is to tell certmonger to submit a new cert request for > each affected certificate, instructing to include the relevant > DNSName in the subjectAltName extension in the CSR. > > To list certmonger tracking requests and look for the HTTPS > certificate. For example: > > $ getcert list > Number of certificate and requests being tracked: 11 > ... > Request ID '20170418012901': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 > expires: 2019-03-22 03:20:19 UTC > dns: f25-2.ipa.local > key usage: digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > ... > > Using the Request ID of the HTTPS certificate, resubmit the request > but use the ``-D <hostname>`` option to specify a DNSName to include > in the SAN extension: > > $ getcert resubmit -i <Request ID> -D <hostname> > > ``-D <hostname>`` can be specified multiple times, if necessary. > > This should request a new certificate that will have the server DNS > name in the SAN extension. > > HTH, > Fraser >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
