Hi, I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed. nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need? Thank you for your help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574 _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org