I tried that, but the replica's "getcert list" doesn't seem to show any results. "Number of certificates and requests being tracked: 0." Is that expected ?
On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote: > > Thank you. That worked for the master. How do I fix the replica's cert ? > > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using > > ipa's DNS at all. Did this happen because of that ? > > > This is not related to DNS. > > To fix the replica, log onto the host and perform the same steps > with Certmonger there. The tracking Request ID will be different > but otherwise the process is the same. > > Cheers, > Fraser > > > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale <ftwee...@redhat.com> > > wrote: > > > > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > > > > I can confirm that I see this behaviour too. My ipa server install > is a > > > > pretty stock install with no 3rd party certificates. > > > > > > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > > > > simon.willi...@thehelpfulcat.com> wrote: > > > > > > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > > > > version 58.0.3029.81. It appears that this version of Chrome will > not > > > > > trust certificates based on Common Name. Looking at the Chrome > > > > > documentation and borne out by one of the messages, from Chrome 58, > > > > > the subjectAltName is required to identify the DNS name of the host > > > that > > > > > the certificate is issued for. I would be grateful if someone > could > > > point > > > > > me in the direction of how to recreate my SSL certificates so that > > > > > the subjectAltName is populated. > > > > > > > > > > Thanks in advance > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > Go to http://freeipa.org for more info on the project > > > > > > > > Which version of IPA are you using? > > > > > > The first thing you should do, which I think should be sufficient in > > > most cases, is to tell certmonger to submit a new cert request for > > > each affected certificate, instructing to include the relevant > > > DNSName in the subjectAltName extension in the CSR. > > > > > > To list certmonger tracking requests and look for the HTTPS > > > certificate. For example: > > > > > > $ getcert list > > > Number of certificate and requests being tracked: 11 > > > ... > > > Request ID '20170418012901': > > > status: MONITORING > > > stuck: no > > > key pair storage: type=NSSDB,location='/etc/ > > > httpd/alias',nickname='Server-Cert',token='NSS Certificate > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: type=NSSDB,location='/etc/ > > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 > > > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 > > > expires: 2019-03-22 03:20:19 UTC > > > dns: f25-2.ipa.local > > > key usage: digitalSignature,nonRepudiation, > keyEncipherment, > > > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/libexec/ipa/certmonger/ > restart_httpd > > > track: yes > > > auto-renew: yes > > > ... > > > > > > Using the Request ID of the HTTPS certificate, resubmit the request > > > but use the ``-D <hostname>`` option to specify a DNSName to include > > > in the SAN extension: > > > > > > $ getcert resubmit -i <Request ID> -D <hostname> > > > > > > ``-D <hostname>`` can be specified multiple times, if necessary. > > > > > > This should request a new certificate that will have the server DNS > > > name in the SAN extension. > > > > > > HTH, > > > Fraser > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
