Ok, great.

I will do that (and monitor that additional SAN ldapha.xx is persistant after 
upgrade)

Thank you for your help

BR

----- Original Message -----
From: "Fraser Tweedale" <ftwee...@redhat.com>
To: "David Goudet" <david.gou...@lyra-network.com>
Cc: "FreeIPA users list" <freeipa-users@lists.fedorahosted.org>
Sent: Monday, July 10, 2017 11:25:56 PM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)

On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote:
> Hi,
> 
> Thank you for your response.
> 
> Certmonger will track and manage this certificate (and keep my modification) 
> but when FreeIPA software will be updated is this SAN configuration will be 
> persistent? 
> Is it possible that LDAP certificate request can be changed (deleted and 
> re-created for exemple) during FreeIPA upgrade processus?
> 
Nope, FreeIPA won't change it on upgrade.

> BR,
> 
> ----- Original Message -----
> From: "Fraser Tweedale" <ftwee...@redhat.com>
> To: "FreeIPA users list" <freeipa-users@lists.fedorahosted.org>
> Cc: "David Goudet" <david.gou...@lyra-network.com>
> Sent: Monday, July 10, 2017 4:28:55 AM
> Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
> 
> On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users 
> wrote:
> > Hi,
> > 
> > I am using FreeIPAv4, some of clients products does not support LDAP 
> > failover so i am configuring LDAP loadbalancer based on KeepAlived to do 
> > LDAP stream fail-over.
> > I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA 
> > service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
> > 
> > Everything works as excepted except TLS certificate verification on client 
> > side: required Hostname from client is ldapha.xxx, stream is load balanced 
> > by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does 
> > not include ldapha.xxx => TLS handshake failed.
> > 
> > nssdb certificate request:
> >  Request ID 'yyy':
> >         status: MONITORING
> >         stuck: no
> >         key pair storage: 
> > type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
> >  Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
> >         certificate: 
> > type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
> >  Certificate DB'
> >         CA: IPA
> >         issuer: xxxx
> >         subject: CN=ds02.xxxx
> >         expires: 2019-03-24 13:33:31 UTC
> >         key usage: 
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
> >         track: yes
> >         auto-renew: yes
> > 
> > ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
> > 
> > Add new SAN in default LDAP certificate in nssdb is possible with command 
> > above but is it recommended/supported? When FreeIPA software will be 
> > updated is this SAN configuration will be persistent?
> > What is the best/recommended solution to cover this need?
> > 
> That is a valid approach.  Certmonger will remember the
> configuration so you only need to do this once.
> 
> Cheers,
> Fraser
> 
> > Thank you for your help
> -- 
> David GOUDET 
> 
> LYRA NETWORK 
> IT Operations service
> Tel : +33 (0)5 32 09 09 74 | Poste : 574
-- 
David GOUDET 

LYRA NETWORK 
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to