On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote: > Hi, > > Thank you for your response. > > Certmonger will track and manage this certificate (and keep my modification) > but when FreeIPA software will be updated is this SAN configuration will be > persistent? > Is it possible that LDAP certificate request can be changed (deleted and > re-created for exemple) during FreeIPA upgrade processus? > Nope, FreeIPA won't change it on upgrade.
> BR, > > ----- Original Message ----- > From: "Fraser Tweedale" <ftwee...@redhat.com> > To: "FreeIPA users list" <freeipa-users@lists.fedorahosted.org> > Cc: "David Goudet" <david.gou...@lyra-network.com> > Sent: Monday, July 10, 2017 4:28:55 AM > Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN) > > On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users > wrote: > > Hi, > > > > I am using FreeIPAv4, some of clients products does not support LDAP > > failover so i am configuring LDAP loadbalancer based on KeepAlived to do > > LDAP stream fail-over. > > I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA > > service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry. > > > > Everything works as excepted except TLS certificate verification on client > > side: required Hostname from client is ldapha.xxx, stream is load balanced > > by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does > > not include ldapha.xxx => TLS handshake failed. > > > > nssdb certificate request: > > Request ID 'yyy': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: xxxx > > subject: CN=ds02.xxxx > > expires: 2019-03-24 13:33:31 UTC > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx > > track: yes > > auto-renew: yes > > > > ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx > > > > Add new SAN in default LDAP certificate in nssdb is possible with command > > above but is it recommended/supported? When FreeIPA software will be > > updated is this SAN configuration will be persistent? > > What is the best/recommended solution to cover this need? > > > That is a valid approach. Certmonger will remember the > configuration so you only need to do this once. > > Cheers, > Fraser > > > Thank you for your help > -- > David GOUDET > > LYRA NETWORK > IT Operations service > Tel : +33 (0)5 32 09 09 74 | Poste : 574 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org