Hi
Thank you for the reply, I will try what u described and see if this works. I didn't now about this 'SRV records' thing and i don't know if it will work as I am configuring my clients kinda manually without the client setup script. Regards ________________________________ From: Arpit Tolani <arpittol...@gmail.com> Sent: Monday, June 12, 2017 12:48:40 PM To: FreeIPA users list Cc: Ridha Zorgui Subject: Re: [Freeipa-users] FreeIPA master and replica behind an Elastic load balancer BTW Now I think of it, why are you using Load balancert, Let SRV records take care of your IPA load balancing, Configure your clients to auto-discover IPA server using SRV records. Regards Arpit Tolani On Mon, Jun 12, 2017 at 4:14 PM, Arpit Tolani <arpittol...@gmail.com> wrote: > Hello > > IPA can sign certificate requests with subjectAltName (SAN) > extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL > certificate request(s), adding the '-D' option to specify the DNSNAME > value for each of the VIPs: > > First, on each IPA server, run 'ipa-getcert list' to find the > Request ID for the back-end LDAP SSL certificate(s) > (nickname='Server-Cert') that is being tracked: > > # ipa-getcert list > Number of certificates and requests being tracked: 8. > Request ID '20120717215052': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM > expires: 2014-07-18 21:50:52 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > Using the Request ID from the above command, resubmit the request > and add the FQDNs for the VIPs: > > # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1> > > But before that, you need to add vip.example.com in IPA first & add it > as service. > > # ipa host-add vip.example.com > # ipa service-add ldap/vip.example.com > # ipa service-add-host ldap/vip.example.com --host `hostname` > > Now > > # ipa-getcert list > # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1> > > Regards > Arpit Tolani > > On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: >> I set up a FreeIPA master and replica behind an elastic load balancer in AWS >> cloud. FreeIPA Clients will be contacting the replica and the master sever >> through the load balancer so the dns name used when configurting the clients >> is the ELB CNAME. The problem is when retreiving data and during the >> authentication, the SSL handshake fail as the certificate send back from the >> master or replica has a hostname different than the one used in the sssd. so >> the connection is terminated. There is a workaround which is the use >> reqcert=allow but this b ring a security issue with a MITM attack. another >> solution i found is the use SAN but i don't seem to make it right. any >> thought on how to solve that will be very helpful. >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > > -- > Thanks & Regards > Arpit Tolani -- Thanks & Regards Arpit Tolani
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
