subject:"\[Freeipa\-users\] Re\: Chromium complains about ipa's web server certificate"

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-13 Thread Fraser Tweedale via FreeIPA-users

On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote:
> On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote:
> > Hi Fraser,
> > 
> > On Fri, 11 Aug 2017 18:48:29 +1000
> > Fraser Tweedale via FreeIPA-users  
> > wrote:
> > 
> > > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users 
> > > wrote:
> > > >
> > > > https://support.google.com/chrome/a/answer/7391219?hl=en
> > > >
> > > > How can I tell freeipa?
> > > >
> > > Hi Harald,
> > > 
> > > Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
> > > HTTP certificate with the appropriate DNS-NAME Subject Alt Name
> > > value(s).  Use `getcert list` to find the REQUEST-ID to use; it will
> > > be the certificate in NSSDB `/etc/httpd/alias` with nickname
> > > `Server-Cert`.
> > > 
> > 
> > This worked, thanx very much.
> > 
> > I would suggest to create web server certificate with appropriate
> > SubjectAltName right from the start by ipa-server-install, but maybe
> > this has alredy been fixed?
> Yes, it is fixed in 4.5.3 and is going to be part of RHEL 7.4.z at some
> point: https://bugzilla.redhat.com/show_bug.cgi?id=1477046
> 
Actually we have requested IPA service certificates with SAN for
several releases now.  The recent change (#7007) is to change the
default profile to always add SAN, even if not explicitly requested.

Anyway, Harald's installation is obviously from a time before either
of those changes :)

Cheers,
Fraser

> See https://pagure.io/freeipa/issue/7007 for more upstream details.
> 
> -- 
> / Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-12 Thread Alexander Bokovoy via FreeIPA-users

On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote:

Hi Fraser,

On Fri, 11 Aug 2017 18:48:29 +1000
Fraser Tweedale via FreeIPA-users  wrote:

On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote:
>
> https://support.google.com/chrome/a/answer/7391219?hl=en
>
> How can I tell freeipa?
>
Hi Harald,

Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
HTTP certificate with the appropriate DNS-NAME Subject Alt Name
value(s).  Use `getcert list` to find the REQUEST-ID to use; it will
be the certificate in NSSDB `/etc/httpd/alias` with nickname
`Server-Cert`.

This worked, thanx very much.

I would suggest to create web server certificate with appropriate
SubjectAltName right from the start by ipa-server-install, but maybe
this has alredy been fixed?

Yes, it is fixed in 4.5.3 and is going to be part of RHEL 7.4.z at some
point: https://bugzilla.redhat.com/show_bug.cgi?id=1477046

See https://pagure.io/freeipa/issue/7007 for more upstream details.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-12 Thread Harald Dunkel via FreeIPA-users

Hi Fraser,

On Fri, 11 Aug 2017 18:48:29 +1000
Fraser Tweedale via FreeIPA-users  wrote:

> On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users 
> wrote:
> > 
> > https://support.google.com/chrome/a/answer/7391219?hl=en 
> > 
> > How can I tell freeipa?
> >   
> Hi Harald,
> 
> Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
> HTTP certificate with the appropriate DNS-NAME Subject Alt Name
> value(s).  Use `getcert list` to find the REQUEST-ID to use; it will
> be the certificate in NSSDB `/etc/httpd/alias` with nickname
> `Server-Cert`.
> 

This worked, thanx very much.

I would suggest to create web server certificate with appropriate
SubjectAltName right from the start by ipa-server-install, but maybe 
this has alredy been fixed?


Regards
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-11 Thread Bernhard Kneip via FreeIPA-users


Hi Harald,

Am 11.08.2017 um 09:40 schrieb Harald Dunkel via FreeIPA-users:

- Subject Alternative Name missing
   The certificate for this site does not contain a Subject Alternative
   Name extension containing a domain name or IP address.
Chrome/Chromium expect SubjectAltName to be set in recent versions. 
There can be Multiple SubjectAltNames in each certificate.


Have a look at the -D option of ipa-getcert request.

Best regards,

Bernhard
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-11 Thread Fraser Tweedale via FreeIPA-users

On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
> 
> My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by 
> an external root CA. Problem:
> 
> Even though I have imported the root CA and clicked on all the trust
> checkboxes, chromium complains about the certificate of the web admin 
> interface running on https://ipa1.example.com/ :
> 
> - Subject Alternative Name missing
>   The certificate for this site does not contain a Subject Alternative 
>   Name extension containing a domain name or IP address.
> - Certificate error
>   There are issues with the site's certificate chain 
>   (net::ERR_CERT_COMMON_NAME_INVALID).
> 
> The CN is "ipa1.example.com", matching the host name. The Subject 
> Alternative Name is
> 
> Not Critical
> Microsoft Principal Name: HTTP/ipa1.example@example.com
> OID.1.3.6.1.5.2.2: 30 30 A0 0B 1B 09 41 49 58 49 47 4F 2E 44 45 A1
> 21 30 1F A0 03 02 01 01 A1 18 30 16 1B 04 48 54
> 54 50 1B 0E 69 70 61 31 2E 61 69 78 69 67 6F 2E
> 64 65
> 
> I haven't seen this mentioned here, but Google provides some more
> information:
> 
> https://support.google.com/chrome/a/answer/7391219?hl=en 
> 
> How can I tell freeipa?
> 
Hi Harald,

Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
HTTP certificate with the appropriate DNS-NAME Subject Alt Name
value(s).  Use `getcert list` to find the REQUEST-ID to use; it will
be the certificate in NSSDB `/etc/httpd/alias` with nickname
`Server-Cert`.

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

5 matches

Site Navigation

Mail list logo

Footer information