On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
> 
> My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by 
> an external root CA. Problem:
> 
> Even though I have imported the root CA and clicked on all the trust
> checkboxes, chromium complains about the certificate of the web admin 
> interface running on https://ipa1.example.com/ :
> 
> - Subject Alternative Name missing
>   The certificate for this site does not contain a Subject Alternative 
>   Name extension containing a domain name or IP address.
> - Certificate error
>   There are issues with the site's certificate chain 
>   (net::ERR_CERT_COMMON_NAME_INVALID).
> 
> The CN is "ipa1.example.com", matching the host name. The Subject 
> Alternative Name is
> 
> Not Critical
> Microsoft Principal Name: HTTP/ipa1.example....@example.com
> OID.1.3.6.1.5.2.2: 30 30 A0 0B 1B 09 41 49 58 49 47 4F 2E 44 45 A1
> 21 30 1F A0 03 02 01 01 A1 18 30 16 1B 04 48 54
> 54 50 1B 0E 69 70 61 31 2E 61 69 78 69 67 6F 2E
> 64 65
> 
> I haven't seen this mentioned here, but Google provides some more
> information:
> 
> https://support.google.com/chrome/a/answer/7391219?hl=en 
> 
> How can I tell freeipa?
> 
Hi Harald,

Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
HTTP certificate with the appropriate DNS-NAME Subject Alt Name
value(s).  Use `getcert list` to find the REQUEST-ID to use; it will
be the certificate in NSSDB `/etc/httpd/alias` with nickname
`Server-Cert`.

Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to