Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
Any ideas why the replica's certs are not being tracked ? That looks like an issue in itself. If they are not being tracked, the replica will fail once they expire. Is there any way to fix the replica ? On Sun, Apr 23, 2017 at 10:08 PM, Prasun Gera wrote: > I tried that, but the replica's "getcert list" doesn't seem to show any > results. "Number of certificates and requests being tracked: 0." Is that > expected ? > > On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale > wrote: > >> On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote: >> > Thank you. That worked for the master. How do I fix the replica's cert ? >> > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using >> > ipa's DNS at all. Did this happen because of that ? >> > >> This is not related to DNS. >> >> To fix the replica, log onto the host and perform the same steps >> with Certmonger there. The tracking Request ID will be different >> but otherwise the process is the same. >> >> Cheers, >> Fraser >> >> > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale >> > wrote: >> > >> > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: >> > > > I can confirm that I see this behaviour too. My ipa server install >> is a >> > > > pretty stock install with no 3rd party certificates. >> > > > >> > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < >> > > > simon.willi...@thehelpfulcat.com> wrote: >> > > > >> > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated >> to >> > > > > version 58.0.3029.81. It appears that this version of Chrome >> will not >> > > > > trust certificates based on Common Name. Looking at the Chrome >> > > > > documentation and borne out by one of the messages, from Chrome >> 58, >> > > > > the subjectAltName is required to identify the DNS name of the >> host >> > > that >> > > > > the certificate is issued for. I would be grateful if someone >> could >> > > point >> > > > > me in the direction of how to recreate my SSL certificates so that >> > > > > the subjectAltName is populated. >> > > > > >> > > > > Thanks in advance >> > > > > >> > > > > -- >> > > > > Manage your subscription for the Freeipa-users mailing list: >> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > Go to http://freeipa.org for more info on the project >> > > > > >> > > Which version of IPA are you using? >> > > >> > > The first thing you should do, which I think should be sufficient in >> > > most cases, is to tell certmonger to submit a new cert request for >> > > each affected certificate, instructing to include the relevant >> > > DNSName in the subjectAltName extension in the CSR. >> > > >> > > To list certmonger tracking requests and look for the HTTPS >> > > certificate. For example: >> > > >> > > $ getcert list >> > > Number of certificate and requests being tracked: 11 >> > > ... >> > > Request ID '20170418012901': >> > > status: MONITORING >> > > stuck: no >> > > key pair storage: type=NSSDB,location='/etc/ >> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate >> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > certificate: type=NSSDB,location='/etc/ >> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> > > CA: IPA >> > > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 >> > > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 >> > > expires: 2019-03-22 03:20:19 UTC >> > > dns: f25-2.ipa.local >> > > key usage: digitalSignature,nonRepudiatio >> n,keyEncipherment, >> > > dataEncipherment >> > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > pre-save command: >> > > post-save command: /usr/libexec/ipa/certmonger/re >> start_httpd >> > > track: yes >> > > auto-renew: yes >> > > ... >> > > >> > > Using the Request ID of the HTTPS certificate, resubmit the request >> > > but use the ``-D `` option to specify a DNSName to include >> > > in the SAN extension: >> > > >> > > $ getcert resubmit -i -D >> > > >> > > ``-D `` can be specified multiple times, if necessary. >> > > >> > > This should request a new certificate that will have the server DNS >> > > name in the SAN extension. >> > > >> > > HTH, >> > > Fraser >> > > >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
I tried that, but the replica's "getcert list" doesn't seem to show any results. "Number of certificates and requests being tracked: 0." Is that expected ? On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale wrote: > On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote: > > Thank you. That worked for the master. How do I fix the replica's cert ? > > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using > > ipa's DNS at all. Did this happen because of that ? > > > This is not related to DNS. > > To fix the replica, log onto the host and perform the same steps > with Certmonger there. The tracking Request ID will be different > but otherwise the process is the same. > > Cheers, > Fraser > > > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale > > wrote: > > > > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > > > > I can confirm that I see this behaviour too. My ipa server install > is a > > > > pretty stock install with no 3rd party certificates. > > > > > > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > > > > simon.willi...@thehelpfulcat.com> wrote: > > > > > > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > > > > version 58.0.3029.81. It appears that this version of Chrome will > not > > > > > trust certificates based on Common Name. Looking at the Chrome > > > > > documentation and borne out by one of the messages, from Chrome 58, > > > > > the subjectAltName is required to identify the DNS name of the host > > > that > > > > > the certificate is issued for. I would be grateful if someone > could > > > point > > > > > me in the direction of how to recreate my SSL certificates so that > > > > > the subjectAltName is populated. > > > > > > > > > > Thanks in advance > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > Go to http://freeipa.org for more info on the project > > > > > > > > Which version of IPA are you using? > > > > > > The first thing you should do, which I think should be sufficient in > > > most cases, is to tell certmonger to submit a new cert request for > > > each affected certificate, instructing to include the relevant > > > DNSName in the subjectAltName extension in the CSR. > > > > > > To list certmonger tracking requests and look for the HTTPS > > > certificate. For example: > > > > > > $ getcert list > > > Number of certificate and requests being tracked: 11 > > > ... > > > Request ID '20170418012901': > > > status: MONITORING > > > stuck: no > > > key pair storage: type=NSSDB,location='/etc/ > > > httpd/alias',nickname='Server-Cert',token='NSS Certificate > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: type=NSSDB,location='/etc/ > > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 > > > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 > > > expires: 2019-03-22 03:20:19 UTC > > > dns: f25-2.ipa.local > > > key usage: digitalSignature,nonRepudiation, > keyEncipherment, > > > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/libexec/ipa/certmonger/ > restart_httpd > > > track: yes > > > auto-renew: yes > > > ... > > > > > > Using the Request ID of the HTTPS certificate, resubmit the request > > > but use the ``-D `` option to specify a DNSName to include > > > in the SAN extension: > > > > > > $ getcert resubmit -i -D > > > > > > ``-D `` can be specified multiple times, if necessary. > > > > > > This should request a new certificate that will have the server DNS > > > name in the SAN extension. > > > > > > HTH, > > > Fraser > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote: > Thank you. That worked for the master. How do I fix the replica's cert ? > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using > ipa's DNS at all. Did this happen because of that ? > This is not related to DNS. To fix the replica, log onto the host and perform the same steps with Certmonger there. The tracking Request ID will be different but otherwise the process is the same. Cheers, Fraser > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale > wrote: > > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > > > I can confirm that I see this behaviour too. My ipa server install is a > > > pretty stock install with no 3rd party certificates. > > > > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > > > simon.willi...@thehelpfulcat.com> wrote: > > > > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > > > version 58.0.3029.81. It appears that this version of Chrome will not > > > > trust certificates based on Common Name. Looking at the Chrome > > > > documentation and borne out by one of the messages, from Chrome 58, > > > > the subjectAltName is required to identify the DNS name of the host > > that > > > > the certificate is issued for. I would be grateful if someone could > > point > > > > me in the direction of how to recreate my SSL certificates so that > > > > the subjectAltName is populated. > > > > > > > > Thanks in advance > > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > Which version of IPA are you using? > > > > The first thing you should do, which I think should be sufficient in > > most cases, is to tell certmonger to submit a new cert request for > > each affected certificate, instructing to include the relevant > > DNSName in the subjectAltName extension in the CSR. > > > > To list certmonger tracking requests and look for the HTTPS > > certificate. For example: > > > > $ getcert list > > Number of certificate and requests being tracked: 11 > > ... > > Request ID '20170418012901': > > status: MONITORING > > stuck: no > > key pair storage: type=NSSDB,location='/etc/ > > httpd/alias',nickname='Server-Cert',token='NSS Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/ > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 > > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 > > expires: 2019-03-22 03:20:19 UTC > > dns: f25-2.ipa.local > > key usage: digitalSignature,nonRepudiation,keyEncipherment, > > dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > ... > > > > Using the Request ID of the HTTPS certificate, resubmit the request > > but use the ``-D `` option to specify a DNSName to include > > in the SAN extension: > > > > $ getcert resubmit -i -D > > > > ``-D `` can be specified multiple times, if necessary. > > > > This should request a new certificate that will have the server DNS > > name in the SAN extension. > > > > HTH, > > Fraser > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
Thank you. That worked for the master. How do I fix the replica's cert ? This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using ipa's DNS at all. Did this happen because of that ? On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale wrote: > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > > I can confirm that I see this behaviour too. My ipa server install is a > > pretty stock install with no 3rd party certificates. > > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > > simon.willi...@thehelpfulcat.com> wrote: > > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > > version 58.0.3029.81. It appears that this version of Chrome will not > > > trust certificates based on Common Name. Looking at the Chrome > > > documentation and borne out by one of the messages, from Chrome 58, > > > the subjectAltName is required to identify the DNS name of the host > that > > > the certificate is issued for. I would be grateful if someone could > point > > > me in the direction of how to recreate my SSL certificates so that > > > the subjectAltName is populated. > > > > > > Thanks in advance > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > Which version of IPA are you using? > > The first thing you should do, which I think should be sufficient in > most cases, is to tell certmonger to submit a new cert request for > each affected certificate, instructing to include the relevant > DNSName in the subjectAltName extension in the CSR. > > To list certmonger tracking requests and look for the HTTPS > certificate. For example: > > $ getcert list > Number of certificate and requests being tracked: 11 > ... > Request ID '20170418012901': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 > expires: 2019-03-22 03:20:19 UTC > dns: f25-2.ipa.local > key usage: digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > ... > > Using the Request ID of the HTTPS certificate, resubmit the request > but use the ``-D `` option to specify a DNSName to include > in the SAN extension: > > $ getcert resubmit -i -D > > ``-D `` can be specified multiple times, if necessary. > > This should request a new certificate that will have the server DNS > name in the SAN extension. > > HTH, > Fraser > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > I can confirm that I see this behaviour too. My ipa server install is a > pretty stock install with no 3rd party certificates. > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > simon.willi...@thehelpfulcat.com> wrote: > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > version 58.0.3029.81. It appears that this version of Chrome will not > > trust certificates based on Common Name. Looking at the Chrome > > documentation and borne out by one of the messages, from Chrome 58, > > the subjectAltName is required to identify the DNS name of the host that > > the certificate is issued for. I would be grateful if someone could point > > me in the direction of how to recreate my SSL certificates so that > > the subjectAltName is populated. > > > > Thanks in advance > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > Which version of IPA are you using? The first thing you should do, which I think should be sufficient in most cases, is to tell certmonger to submit a new cert request for each affected certificate, instructing to include the relevant DNSName in the subjectAltName extension in the CSR. To list certmonger tracking requests and look for the HTTPS certificate. For example: $ getcert list Number of certificate and requests being tracked: 11 ... Request ID '20170418012901': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 expires: 2019-03-22 03:20:19 UTC dns: f25-2.ipa.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes ... Using the Request ID of the HTTPS certificate, resubmit the request but use the ``-D `` option to specify a DNSName to include in the SAN extension: $ getcert resubmit -i -D ``-D `` can be specified multiple times, if necessary. This should request a new certificate that will have the server DNS name in the SAN extension. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
I can confirm that I see this behaviour too. My ipa server install is a pretty stock install with no 3rd party certificates. On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < simon.willi...@thehelpfulcat.com> wrote: > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > version 58.0.3029.81. It appears that this version of Chrome will not > trust certificates based on Common Name. Looking at the Chrome > documentation and borne out by one of the messages, from Chrome 58, > the subjectAltName is required to identify the DNS name of the host that > the certificate is issued for. I would be grateful if someone could point > me in the direction of how to recreate my SSL certificates so that > the subjectAltName is populated. > > Thanks in advance > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
Yesterday, Chrome on both my Ubuntu and Windows machines updated to version 58.0.3029.81. It appears that this version of Chrome will not trust certificates based on Common Name. Looking at the Chrome documentation and borne out by one of the messages, from Chrome 58, the subjectAltName is required to identify the DNS name of the host that the certificate is issued for. I would be grateful if someone could point me in the direction of how to recreate my SSL certificates so that the subjectAltName is populated. Thanks in advance -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project