Rob, As I was responding a little bit late last night, the following come to mind.
As you say I need to request my cert with two names, how do you mean ? I'm using curl at the moment so figuring that out. As the same issues happens in the GUI itself I think this might be a problem. When I access ldap-01 directly it complains @ the services tab on some servicehosts that are in there, and some not. I think this is not a simple PTR or A record fix, I'm curious how to do. Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> I'm almost there but what happens when I regenerate a certificate for >> the ldap server I get the following when I visit it through the >> loadbalancer: >> >> no alternative certificate subject name matches target host name >> 'ldap-01.domain....' >> >> I think this is strange as the certificate shows the ldap under the >> altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname >> but only on the certificate itself. > > It turns out that NSS implements cert checking very strictly following > RFC 2818 while OpenSSL is a bit more lax about it. > > The RFC states that if there is a subjectAltName then only that is used > to validate the hostname. And in fact, it discourages using the subject > at all and ONLY relying on the subjectAltName, though it does recognize > that it is current practice (and was that way in 2000 as well). > > So you need to request your new cert with TWO names: the host name and > the alternate name. That should make the cert work anyway. > > rob > >> >> >> >> 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>> Matt . wrote: >>>> HI Rob, >>>> >>>> Yes something is wrong there I guess. >>> >>> In any case, it doesn't apply to what you're trying to do. >>> >>>> But still, I actually need to add a SAN to the webserver cert, which >>>> is different I think than the services at least. >>>> >>>> So the question there is... how ? >>> >>> What webserver cert? Are you trying to load balance the IPA services via >>> DNS? >>> >>> Not knowing what you want, I'm just answering what you are ASKING. That >>> is not the same as giving a proper answer. I have the feeling you want >>> to load balance IPA in general which isn't going to work without a ton >>> of (ongoing) manual effort. Even Microsoft recommends against trying >>> this in its AD environment: http://support.microsoft.com/en-us/kb/325608 >>> >>> In any case, the instructions I've already provided still apply. >>> >>> If you want to replace the Apache webserver cert you'll just need to do >>> a couple of things first which has the potential of completely breaking >>> IPA, so you'll need to be careful. >>> >>> Before you do anything, backup *.db in /etc/httpd/alias. >>> >>> Stop tracking the Apache cert in certmonger: >>> >>> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert >>> >>> Delete the existing cert: >>> >>> # certutil -D -d /etc/httpd/alias -n Server-Cert >>> >>> Like I said, destructive. >>> >>> Finally use certmonger to get a new cert that includes a SAN. The syntax >>> is slightly different than before, mostly because I'm just guessing in >>> the dark because you aren't including enough details into what you're >>> trying. >>> >>> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com >>> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt >>> >>> In this case the IPA server is ipa1.example.com and you're creating a >>> SAN for ipa.example.com. >>> >>> Restart httpd. >>> >>> Note that this doesn't solve the Kerberos problem so cli access will >>> still not work as expected. The UI _might_ work using forms-based >>> authentication. >>> >>> I'd strongly urge you to think about the top of this e-mail before >>> proceeding onto the bottom. >>> >>> rob >>> >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>>>> Matt . wrote: >>>>>> When digging around I see this documentation: >>>>>> >>>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html >>>>>> >>>>>> I would except that server.example.com is not going to be accepted by >>>>>> IPA when you visit the webgui like that ? >>>>> >>>>> These are SRV records for the ldap service. Think of it as discovery for >>>>> who provides ldap service in the domain. It isn't something used by a >>>>> web browser. >>>>> >>>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd >>>>> think it should be example.com and not server.example.com. But in any >>>>> case it is irrelevant to a browser. >>>>> >>>>> rob >>>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
