John Obaterspok wrote:
Hi,
I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan
I recently started to get nss error "SSL peer has no certificate for the
requested DNS name." when I'm accesing my https://gitserver.my.lan
Previously this worked fine if I had set "git config --global
http.sslVerify false" according to
https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
Now I tried to solve this by adding a SubjectAltName to the
HTTP/ipa.my.lan certitficate like this:
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MY.LAN
subject: CN=ipa.my.lan,O=MY.LAN
expires: 2018-02-06 19:24:52 UTC
dns: gitserver.my.lan,ipa.my.lan
principal name: http/ipa.my....@my.lan
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
But I still get the below error:
* NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
* SSL peer has no certificate for the requested DNS name
What version of mod_nss? It recently added support for SNI. You can try
turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but
I'd imagine you were already relying on it.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
