Hi,

Thank you for your response.

Certmonger will track and manage this certificate (and keep my modification) 
but when FreeIPA software will be updated is this SAN configuration will be 
persistent? 
Is it possible that LDAP certificate request can be changed (deleted and 
re-created for exemple) during FreeIPA upgrade processus?

BR,

----- Original Message -----
From: "Fraser Tweedale" <ftwee...@redhat.com>
To: "FreeIPA users list" <freeipa-users@lists.fedorahosted.org>
Cc: "David Goudet" <david.gou...@lyra-network.com>
Sent: Monday, July 10, 2017 4:28:55 AM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)

On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
> Hi,
> 
> I am using FreeIPAv4, some of clients products does not support LDAP failover 
> so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream 
> fail-over.
> I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA 
> service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
> 
> Everything works as excepted except TLS certificate verification on client 
> side: required Hostname from client is ldapha.xxx, stream is load balanced by 
> KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not 
> include ldapha.xxx => TLS handshake failed.
> 
> nssdb certificate request:
>  Request ID 'yyy':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: xxxx
>         subject: CN=ds02.xxxx
>         expires: 2019-03-24 13:33:31 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
>         track: yes
>         auto-renew: yes
> 
> ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
> 
> Add new SAN in default LDAP certificate in nssdb is possible with command 
> above but is it recommended/supported? When FreeIPA software will be updated 
> is this SAN configuration will be persistent?
> What is the best/recommended solution to cover this need?
> 
That is a valid approach.  Certmonger will remember the
configuration so you only need to do this once.

Cheers,
Fraser

> Thank you for your help
-- 
David GOUDET 

LYRA NETWORK 
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to