BTW Now I think of it, why are you using Load balancert, Let SRV
records take care of your IPA load balancing, Configure your clients
to auto-discover IPA server using SRV records.


Regards
Arpit Tolani

On Mon, Jun 12, 2017 at 4:14 PM, Arpit Tolani <arpittol...@gmail.com> wrote:
> Hello
>
> IPA can sign certificate requests with subjectAltName (SAN)
> extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL
> certificate request(s), adding the '-D' option to specify the DNSNAME
> value for each of the VIPs:
>
>     First, on each IPA server, run 'ipa-getcert list' to find the
> Request ID for the back-end LDAP SSL certificate(s)
> (nickname='Server-Cert') that is being tracked:
>
>     # ipa-getcert list
>     Number of certificates and requests being tracked: 8.
>     Request ID '20120717215052':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM
>         expires: 2014-07-18 21:50:52 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
>
>     Using the Request ID from the above command, resubmit the request
> and add the FQDNs for the VIPs:
>
>     # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>
>
> But before that, you need to add vip.example.com in IPA first & add it
> as service.
>
> # ipa host-add vip.example.com
> # ipa service-add ldap/vip.example.com
> # ipa service-add-host ldap/vip.example.com --host `hostname`
>
> Now
>
>     # ipa-getcert list
>     # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>
>
> Regards
> Arpit Tolani
>
> On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
>> I set up a FreeIPA master and replica behind an elastic load balancer in AWS 
>> cloud. FreeIPA Clients will be contacting the replica and the master sever 
>> through the load balancer so the dns name used when configurting the clients 
>> is the ELB CNAME. The problem is when retreiving data and during the 
>> authentication, the SSL handshake fail as the certificate send back from the 
>> master or replica has a hostname different than the one used in the sssd. so 
>> the connection is terminated.  There is a workaround which is the use 
>> reqcert=allow but this b ring a security issue with a MITM attack. another 
>> solution i found is the use SAN but i don't seem to make it right. any 
>> thought on how to solve that will be very helpful.
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
>
> --
> Thanks & Regards
> Arpit Tolani



-- 
Thanks & Regards
Arpit Tolani
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to