I set up a FreeIPA master and replica behind an elastic load balancer in AWS 
cloud. FreeIPA Clients will be contacting the replica and the master sever 
through the load balancer so the dns name used when configurting the clients is 
the ELB CNAME. The problem is when retreiving ldap data and during the 
authentication, the SSL handshake fails as the certificate sent back from the 
master or replica has a hostname different than the one used in the sssd ( the 
ELB CNAME). so the connection is terminated.  There is a workaround which is 
the use reqcert=allow but this bring a security issue with a MITM attack. 
another solution i found is the use SAN. I was able to add the ELB DNS as a SAN 
in freeipa servers certificate. i made sure it is there by downloading the 
certificate and checking that the elb san exist but when testing it the same 
problem remain. Please help.  
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to