subject:"\[Freeipa\-users\] Re\: Basic Certificate Creation Question"

[Freeipa-users] Re: Basic Certificate Creation Question

2018-01-17 Thread Callum Guy via FreeIPA-users

That's an incredible response, thank you so much Alexander.

I'll take my time digesting that and look into correcting the current
configuration.

With all that information I am pretty certain I can resolve several other
mis-configured services, I can't thank you enough!

On Wed, Jan 17, 2018 at 4:38 PM Alexander Bokovoy 
wrote:

> On ke, 17 tammi 2018, Callum Guy wrote:
> >Hi Alex,
> >
> >I have now managed to create valid certificates after following your
> >provided example however I do have some questions.
> >
> >Firstly in my situation there are multiple proxy instances which are
> >servicing this domain, for this reason I attempted to add two hosts to my
> >dummy host. This part worked fine and produced the following:
> >
> >[11:43] root net-ipa1 ~ # ipa service-add-host HTTP/gogs.domain.net
> --host
> >net-proxy1.domain.net --host net-proxy2.domain.net
> >  Principal name: HTTP/gogs.domain@domain.net
> >  Principal alias: HTTP/gogs.domain@domain.net
> >  Managed by: gogs.domain.net, net-proxy1.domain.net,
> net-proxy2.domain.net
> >
> >AFAIK that looks good although i am not entirely clear on how that
> >configuration would effect FreeIPA behaviour.
> >
> >Following the rest of the example did not work for me however things
> >usually don't work if I don't understand what I'm doing! Ignoring that for
> >a second, I managed to add my CSR to the service principal via the IPA
> >interface and the produced certificate was accepted by both proxy
> instances
> >so I have achieved what i needed to.
> >
> >I am interested in where  it all went wrong and always interested in
> >improving my understanding of IPA itself so wanted to share the output in
> >case you were able to provide any information! You can see the domain
> >redacted log below:
> You did re-issued a certificate for a wrong service on a wrong host.
>
> You wanted to issue certs for HTTP/gogs.domain.net but did so for
> HTTP/net-ipa1.domain.net. The latter is not managed by
> net-proxy1.domain.net, so there is an error.
>
> If I understood your setup, it is the following:
>
>   - main host visible to users is gogs.domain.net, they would
> authenticate using GSSAPI to HTTP/gogs.domain.net
>
>   - gogs.domain.net is actually represented by net-proxy1.domain.net and
> net-proxy2.domain.net. In case of IPA this means gogs.domain.net
> only exists within IPA database but not as a real (enrolled) host
>
>   - HTTP/gogs.domain.net would need to have aliases
> HTTP/net-proxy1.domain.net and HTTP/net-proxy2.domain.net to allow
> web services on net-proxy1 and net-proxy2 to handle Kerberos
> authentication
>
>   - net-proxy1.domain.net and net-proxy2.domain.net should not have
> actual HTTP/ services defined in IPA
>
> This means you'd need to perform something like the following steps
> (below {} is relying on a shell expansion feature, e.g. {foo{1,2}} would
> expand into "foo1 foo2" and --bar={foo{1,2}} would expand into
> "--bar=foo1 --bar=foo2"). Note that I haven't tested this at all, only
> checked that IPA commands use proper arguments/options.
>
>  1. ipa host-add gogs.domain.net
>  2. ipa service-add HTTP/gogs.domain.net
>  3. ipa service-add-host HTTP/gogs.domain.net --hosts={net-proxy{1,2}.
> domain.net}
>  4. ipa service-add-principal HTTP/gogs.domain.net {HTTP/net-proxy{1,2}.
> domain.net}
>  5. ipa service-allow-create-keytab HTTP/gogs.domain.net
> --hosts={net-proxy{1,2}.domain.net}
>  6. ipa service-allow-retrieve-keytab HTTP/gogs.domain.net
> --hosts={net-proxy{1,2}.domain.net}
>
> Now, we have a host gogs.domain.net. This host has HTTP/gogs.domain.net
> service which is also known to KDC as HTTP/net-proxy1.domain.net and
> HTTP/net-proxy2.domain.net. The principal HTTP/gogs.domain.net can be
> managed by hosts net-proxy1.domain.net and net-proxy2.domain.net,
> meaning these hosts can create and retrieve keytab for the
> HTTP/gogs.domain.net principal.
>
> Next step is to issue the certificate and the keytab. There is a
> problem though because you should retrieve them at one place only or
> otherwise the second issuance would invalidate the first one. Choose
> which host will be the primary one and make sure you have a mechanism to
> distribute the retrieved certificate and its private key (and a Kerberos
> keytab) to the second one.
>
> Let's say it would be a net-proxy1.domain.net. On net-proxy1 if you have
> Apache and mod_nss installed, you can use its /etc/httpd/alias database:
>
>  ipa-getcert request -n Server-Cert \
>  -d /etc/httpd/alias \
>  -t 'NSS Certificate DB' \
>  -p /etc/httpd/alias/pwdfile.txt \
>  -N gogs.domain.net \
>  -D gogs.domain.net \
>  -D net-proxy1.domain.net \
>  -D net-proxy2.domain.net \
>  -K HTTP/gogs.domain.net \
>  -K HTTP/net-proxy1.domain.net \
>

[Freeipa-users] Re: Basic Certificate Creation Question

2018-01-17 Thread Alexander Bokovoy via FreeIPA-users


On ke, 17 tammi 2018, Callum Guy wrote:

Hi Alex,

I have now managed to create valid certificates after following your
provided example however I do have some questions.

Firstly in my situation there are multiple proxy instances which are
servicing this domain, for this reason I attempted to add two hosts to my
dummy host. This part worked fine and produced the following:

[11:43] root net-ipa1 ~ # ipa service-add-host HTTP/gogs.domain.net --host
net-proxy1.domain.net --host net-proxy2.domain.net
 Principal name: HTTP/gogs.domain@domain.net
 Principal alias: HTTP/gogs.domain@domain.net
 Managed by: gogs.domain.net, net-proxy1.domain.net, net-proxy2.domain.net

AFAIK that looks good although i am not entirely clear on how that
configuration would effect FreeIPA behaviour.

Following the rest of the example did not work for me however things
usually don't work if I don't understand what I'm doing! Ignoring that for
a second, I managed to add my CSR to the service principal via the IPA
interface and the produced certificate was accepted by both proxy instances
so I have achieved what i needed to.

I am interested in where  it all went wrong and always interested in
improving my understanding of IPA itself so wanted to share the output in
case you were able to provide any information! You can see the domain
redacted log below:

You did re-issued a certificate for a wrong service on a wrong host.

You wanted to issue certs for HTTP/gogs.domain.net but did so for
HTTP/net-ipa1.domain.net. The latter is not managed by
net-proxy1.domain.net, so there is an error.

If I understood your setup, it is the following:

 - main host visible to users is gogs.domain.net, they would
   authenticate using GSSAPI to HTTP/gogs.domain.net

 - gogs.domain.net is actually represented by net-proxy1.domain.net and
   net-proxy2.domain.net. In case of IPA this means gogs.domain.net
   only exists within IPA database but not as a real (enrolled) host

 - HTTP/gogs.domain.net would need to have aliases
   HTTP/net-proxy1.domain.net and HTTP/net-proxy2.domain.net to allow
   web services on net-proxy1 and net-proxy2 to handle Kerberos
   authentication

 - net-proxy1.domain.net and net-proxy2.domain.net should not have
   actual HTTP/ services defined in IPA

This means you'd need to perform something like the following steps
(below {} is relying on a shell expansion feature, e.g. {foo{1,2}} would
expand into "foo1 foo2" and --bar={foo{1,2}} would expand into
"--bar=foo1 --bar=foo2"). Note that I haven't tested this at all, only
checked that IPA commands use proper arguments/options.

1. ipa host-add gogs.domain.net
2. ipa service-add HTTP/gogs.domain.net
3. ipa service-add-host HTTP/gogs.domain.net --hosts={net-proxy{1,2}.domain.net}
4. ipa service-add-principal HTTP/gogs.domain.net 
{HTTP/net-proxy{1,2}.domain.net}
5. ipa service-allow-create-keytab HTTP/gogs.domain.net 
--hosts={net-proxy{1,2}.domain.net}
6. ipa service-allow-retrieve-keytab HTTP/gogs.domain.net 
--hosts={net-proxy{1,2}.domain.net}

Now, we have a host gogs.domain.net. This host has HTTP/gogs.domain.net
service which is also known to KDC as HTTP/net-proxy1.domain.net and
HTTP/net-proxy2.domain.net. The principal HTTP/gogs.domain.net can be
managed by hosts net-proxy1.domain.net and net-proxy2.domain.net,
meaning these hosts can create and retrieve keytab for the
HTTP/gogs.domain.net principal.

Next step is to issue the certificate and the keytab. There is a
problem though because you should retrieve them at one place only or
otherwise the second issuance would invalidate the first one. Choose
which host will be the primary one and make sure you have a mechanism to
distribute the retrieved certificate and its private key (and a Kerberos
keytab) to the second one.

Let's say it would be a net-proxy1.domain.net. On net-proxy1 if you have
Apache and mod_nss installed, you can use its /etc/httpd/alias database:

ipa-getcert request -n Server-Cert \
-d /etc/httpd/alias \
 -t 'NSS Certificate DB' \
 -p /etc/httpd/alias/pwdfile.txt \
 -N gogs.domain.net \
 -D gogs.domain.net \
 -D net-proxy1.domain.net \
 -D net-proxy2.domain.net \
 -K HTTP/gogs.domain.net \
 -K HTTP/net-proxy1.domain.net \
 -K HTTP/net-proxy2.domain.net \
 -C /path/to/rotation/script

rotation script is called by certmonger after it has re-issued and saved
the script. IPA servers have their own:
/usr/libexec/ipa/certmonger/restart_httpd but all it basically does is
to determine whether httpd is running and then restarting it to apply a
new certificate because mod_nss only reads it once. You can write this
script using any language (a shell, for example) and it could do what
you want:
- copy nss database to net-proxy2, for example
- trigger restart of httpd on net-proxy1 and

[Freeipa-users] Re: Basic Certificate Creation Question

2018-01-17 Thread Callum Guy via FreeIPA-users

Thanks so much Alexander - I'll have a go and come back if I experience any
difficulties.

Have a good day!

On Wed, Jan 17, 2018 at 11:06 AM Alexander Bokovoy 
wrote:

> On ke, 17 tammi 2018, Callum Guy via FreeIPA-users wrote:
> >Hi All,
> >
> >I'm planning to add a subdomain certificate for an internal web service
> >using FreeIPA CA however in my example I am applying the certificate to an
> >interim proxy server.
> >
> >For example I want to sign a certificate for "web.domain.com" and serve
> it
> >on host "proxy.domain.com".
> >
> >Based on what I have learnt from using FreeIPA so far I presume the
> correct
> >way to do this is via service principal: HTTP/proxy.domain@domain.com
> >
> >When I attempt to create the certificate from my CSR I get the following
> >error report:
> >
> >"invalid 'csr': hostname in subject of request 'web.domain.com' does not
> >match name or aliases of principal 'HTTP/proxy.domain@domain.com'"
> >
> >Ii have tried adding aliases to the principal however I haven't been able
> >to make it work - a lack of understanding I think!
> >
> >I am sure that I am just doing something wrong and it would be great if
> >someone could help explain what I should be doing.
> See the thread at
>
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IO6BSB6K76E5XRM4IQEFJRTIPK6KKXFX/
> for details on how to achieve that.
>
> --
> / Alexander Bokovoy
>

-- 
Callum Guy
Head of Information Security
X-on

-- 

*0333 332   |  www.x-on.co.uk   |   ** 

   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Basic Certificate Creation Question

2018-01-17 Thread Alexander Bokovoy via FreeIPA-users


On ke, 17 tammi 2018, Callum Guy via FreeIPA-users wrote:

Hi All,

I'm planning to add a subdomain certificate for an internal web service
using FreeIPA CA however in my example I am applying the certificate to an
interim proxy server.

For example I want to sign a certificate for "web.domain.com" and serve it
on host "proxy.domain.com".

Based on what I have learnt from using FreeIPA so far I presume the correct
way to do this is via service principal: HTTP/proxy.domain@domain.com

When I attempt to create the certificate from my CSR I get the following
error report:

"invalid 'csr': hostname in subject of request 'web.domain.com' does not
match name or aliases of principal 'HTTP/proxy.domain@domain.com'"

Ii have tried adding aliases to the principal however I haven't been able
to make it work - a lack of understanding I think!

I am sure that I am just doing something wrong and it would be great if
someone could help explain what I should be doing.

See the thread at
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IO6BSB6K76E5XRM4IQEFJRTIPK6KKXFX/
for details on how to achieve that.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Basic Certificate Creation Question

[Freeipa-users] Re: Basic Certificate Creation Question

[Freeipa-users] Re: Basic Certificate Creation Question

[Freeipa-users] Re: Basic Certificate Creation Question

4 matches

Site Navigation

Mail list logo

Footer information