On ti, 07 kesä 2022, Bret Wortman via FreeIPA-users wrote:
I'm trying to create a wildcard certificate to use with some elasticsearch ECE
systems and it's not working quite right yet. I found Fraser's blog at
https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wildcard-certs.html
and followed the directions there. After installing the cert chain on my ES
servers, when I connect over the web I'm getting an SSL_ERROR_BAD_CERT_DOMAIN
error, even though the cert contains:
Subject Name
Organization OUR.NET 201804300753
Common Name *.elastic.our.net
Issuer Name
Organization OUR.NET 201804300753
Common Name Certificate Authority
Validity
Not Before Tue, 07 Jun 2022 14:48:08 GMT
Not After Fri, 07 Jun 2024 14:48:08 GMT
Subject Alt Names
DNS Name zsece01.our.net
DNS Name zsece02.our.net
DNS Name zsece013our.net
:
I've tried including elastic.our.net as an alt name too and it didn't prevent
the error. What am I missing?
You need to have dnsName: *.elastic.our.net in the SAN as well. Most
browsers stopped looking into CN already for CAs from the root CA list
but recently Firefox and Chrome also applied this to private CAs as
well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
