Rob,
I just saw your message on IRC from a couple of hours ago... timedifference ;)
Thanks,
Matt
2015-03-28 10:17 GMT+01:00 Matt . yamakasi@gmail.com:
Rob,
As I was responding a little bit late last night, the following come to mind.
As you say I need to request my cert with two
Rob,
As I was responding a little bit late last night, the following come to mind.
As you say I need to request my cert with two names, how do you mean ?
I'm using curl at the moment so figuring that out.
As the same issues happens in the GUI itself I think this might be a
problem. When I
I'm almost there but what happens when I regenerate a certificate for
the ldap server I get the following when I visit it through the
loadbalancer:
no alternative certificate subject name matches target host name
'ldap-01.domain'
I think this is strange as the certificate shows the ldap
Matt . wrote:
I'm almost there but what happens when I regenerate a certificate for
the ldap server I get the following when I visit it through the
loadbalancer:
no alternative certificate subject name matches target host name
'ldap-01.domain'
I think this is strange as the
Hi Rob,
Thanks for the explanation. I understand your solution, I just thought
that was the dirty way :)
Thanks for your effort!
Cheers,
Matt
2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
I'm almost there but what happens when I regenerate a certificate for
When digging around I see this documentation:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?
2015-03-26 1:57 GMT+01:00 Matt .
Matt . wrote:
When digging around I see this documentation:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?
These are SRV records for the
HI Rob,
Yes something is wrong there I guess.
But still, I actually need to add a SAN to the webserver cert, which
is different I think than the services at least.
So the question there is... how ?
Cheers,
Matt
2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
Hi Rob,
Thank you very much!
I think this will work out as it's only https traffic.
I will report back!
Thanks a lot!
Matt
2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
HI Rob,
Yes something is wrong there I guess.
In any case, it doesn't apply to what
Hi,
This should be it and worked for generating the cert with the altname
ldap.domain.tld
When I login and I go to services I get the following:
cannot connect to
'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
OK some new update:
When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a
301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt
But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my
browser it just works fine.
2015-03-26 22:11 GMT+01:00 Matt .
Matt . wrote:
HI Rob,
Yes something is wrong there I guess.
In any case, it doesn't apply to what you're trying to do.
But still, I actually need to add a SAN to the webserver cert, which
is different I think than the services at least.
So the question there is... how ?
What webserver
OK, quite clear but I think that is not going to help me, if you ask
me, I might be wrong here as this is what I get:
# wget https://ldap.mydomain.tld/ipa/json
--2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json
Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
Connecting to
Matt . wrote:
The right way to sequest a SAN, this seems to need some extra config file ?
Like I said before, use certmonger, it makes life easier.
I'll create a new host balancer.example.com with a HTTP service. I'll
generate a cert with a SAN for idp.example.com in that service. I'm
Isn't this documented well (yet) ?
The RH docs are always very detailed about it, but I'm not sure
here... I see solutions but not 100% from A to Z to make sure we do it
the proper way.
2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
Not worried, I need to try.
I think it's not an
The right way to sequest a SAN, this seems to need some extra config file ?
2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
Isn't this documented well (yet) ?
Is what documented yet?
rob
The RH docs are always very detailed about it, but I'm not sure
here...
Matt . wrote:
Isn't this documented well (yet) ?
Is what documented yet?
rob
The RH docs are always very detailed about it, but I'm not sure
here... I see solutions but not 100% from A to Z to make sure we do it
the proper way.
2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
Matt . wrote:
Hi,
Security wise I can understand that.
Yes I have read about that... but that would let me use the
loadbalancer to connect ? I was not sure if the SAN would connect as
other host.
Kerberos through a load balancer can be a problem. Is this what you're
worried about?
rob
Matt . wrote:
Hi Guys,
Is Rob able to look at this ? I hope he has some sparetime as I'm
kinda stuck with this issue.
Wildcard certs are not supported.
You can request a SAN with certmonger using -D FQDN. That will work
with IPA 4.x for sure, maybe 3.3.5.
rob
Thanks!
2015-03-08
Hi Guys,
Is Rob able to look at this ? I hope he has some sparetime as I'm
kinda stuck with this issue.
Thanks!
2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
I'm reviewing some things.
When I'm using a loadbalancer, which I prefer in this setup I need to
have the same
I'm reviewing some things.
When I'm using a loadbalancer, which I prefer in this setup I need to
have the same certificates on both servers. Maybe a wildcard for my
domain could do instead of having only both fqdn's of the servers
including the loadbalancer's fqdn.
But the question remains, how?
Hi,
I will balance with IP persistance so I think there won't be any
mixing as long as that used server is online.
2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
On 03/06/2015 11:05 AM, Matt . wrote:
OK, understood.
But when a webservice does execute a command (from scripting) to a
Hi,
But as the user is the same, I could use the same keytab for each ipa server ?
I need to use the API indeed, so need to issue the http service.
Any other options ?
2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
On 6.3.2015 14:08, Martin Kosek wrote:
I'm figuring out how to
On 6.3.2015 15:13, Matt . wrote:
Hi,
But as the user is the same, I could use the same keytab for each ipa server ?
I need to use the API indeed, so need to issue the http service.
Any other options ?
I do not really understand your use case. Could you describe it in detail,
please?
I have 2 IPA servers where I kinit to and post to the api using curl/json.
As I need redundancy and don't want to have it script managed, but one
central point where I can tal to I use a loadbalancer.
As I connect to the loadbalancer using DNAT, so the client IP is known
on the IPA server
On 6.3.2015 16:24, Matt . wrote:
Hi,
I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.
I auth users, so their keytab should be the same between two masters I
believe ?
Keytabs are used by Kerberos and MIT kerberos libraries fully
On 6.3.2015 15:39, Matt . wrote:
I have 2 IPA servers where I kinit to and post to the api using curl/json.
If we are talking purely about scripting, you can use IPA Python API. It will
handle fail over for you even without any load balancer. That would be easiest
way.
As I need redundancy and
Hi,
I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.
I auth users, so their keytab should be the same between two masters I believe ?
In that case... I need to add the altnames to the certs, but I'm not
100% there in step 6
Thanks again!
On 6.3.2015 14:08, Martin Kosek wrote:
I'm figuring out how to regenerate the webserver certificates so I can
use a loadbalancer in front of my ipa servers.
Are you talking about FreeIPA web interface? It is technically possible to use
load-balancer but it will be really hacky. You would have
Hi,
I'm figuring out how to regenerate the webserver certificates so I can
use a loadbalancer in front of my ipa servers.
I see in the docs there is information about this, but not for the
webservice. Does anyone have some directions ?
Thanks.
Matt
--
Manage your subscription for the
On 03/06/2015 01:30 PM, Matt . wrote:
Hi,
I'm figuring out how to regenerate the webserver certificates so I can
use a loadbalancer in front of my ipa servers.
I see in the docs there is information about this, but not for the
webservice. Does anyone have some directions ?
Thanks.
Matt
Hi Martin,
Thanks, I saw that ticket but didn't got to the wiki part yet.
What I wonder in Step 6:
6. Request a signed certificate for the service and see the entry in
Certmonger. In case you created a NSS database with a PIN (see the
step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt
On Fri, 2015-03-06 at 16:24 +0100, Matt . wrote:
Hi,
I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.
I auth users, so their keytab should be the same between two masters I
believe ?
What kind of load balancing ?
An IPA server
OK, understood.
But when a webservice does execute a command (from scripting) to a SVR
record and the first is not reacable, would it try to do it again or
will handle DNS this in front of it ?
I do a kinit against an IPA server using a keytab after I first
checked if the user was able to auth
On 03/06/2015 11:05 AM, Matt . wrote:
OK, understood.
But when a webservice does execute a command (from scripting) to a SVR
record and the first is not reacable, would it try to do it again or
will handle DNS this in front of it ?
I do a kinit against an IPA server using a keytab after I
35 matches
Mail list logo