[Freeipa-users] Re: Chromium complains about ipa's web server certificate
On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote: > On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote: > > Hi Fraser, > > > > On Fri, 11 Aug 2017 18:48:29 +1000 > > Fraser Tweedale via FreeIPA-users > > wrote: > > > > > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users > > > wrote: > > > > > > > > https://support.google.com/chrome/a/answer/7391219?hl=en > > > > > > > > How can I tell freeipa? > > > > > > > Hi Harald, > > > > > > Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new > > > HTTP certificate with the appropriate DNS-NAME Subject Alt Name > > > value(s). Use `getcert list` to find the REQUEST-ID to use; it will > > > be the certificate in NSSDB `/etc/httpd/alias` with nickname > > > `Server-Cert`. > > > > > > > This worked, thanx very much. > > > > I would suggest to create web server certificate with appropriate > > SubjectAltName right from the start by ipa-server-install, but maybe > > this has alredy been fixed? > Yes, it is fixed in 4.5.3 and is going to be part of RHEL 7.4.z at some > point: https://bugzilla.redhat.com/show_bug.cgi?id=1477046 > Actually we have requested IPA service certificates with SAN for several releases now. The recent change (#7007) is to change the default profile to always add SAN, even if not explicitly requested. Anyway, Harald's installation is obviously from a time before either of those changes :) Cheers, Fraser > See https://pagure.io/freeipa/issue/7007 for more upstream details. > > -- > / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Chromium complains about ipa's web server certificate
On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote: Hi Fraser, On Fri, 11 Aug 2017 18:48:29 +1000 Fraser Tweedale via FreeIPA-users wrote: On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote: > > https://support.google.com/chrome/a/answer/7391219?hl=en > > How can I tell freeipa? > Hi Harald, Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new HTTP certificate with the appropriate DNS-NAME Subject Alt Name value(s). Use `getcert list` to find the REQUEST-ID to use; it will be the certificate in NSSDB `/etc/httpd/alias` with nickname `Server-Cert`. This worked, thanx very much. I would suggest to create web server certificate with appropriate SubjectAltName right from the start by ipa-server-install, but maybe this has alredy been fixed? Yes, it is fixed in 4.5.3 and is going to be part of RHEL 7.4.z at some point: https://bugzilla.redhat.com/show_bug.cgi?id=1477046 See https://pagure.io/freeipa/issue/7007 for more upstream details. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Chromium complains about ipa's web server certificate
Hi Fraser, On Fri, 11 Aug 2017 18:48:29 +1000 Fraser Tweedale via FreeIPA-users wrote: > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users > wrote: > > > > https://support.google.com/chrome/a/answer/7391219?hl=en > > > > How can I tell freeipa? > > > Hi Harald, > > Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new > HTTP certificate with the appropriate DNS-NAME Subject Alt Name > value(s). Use `getcert list` to find the REQUEST-ID to use; it will > be the certificate in NSSDB `/etc/httpd/alias` with nickname > `Server-Cert`. > This worked, thanx very much. I would suggest to create web server certificate with appropriate SubjectAltName right from the start by ipa-server-install, but maybe this has alredy been fixed? Regards Harri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Chromium complains about ipa's web server certificate
Hi Harald, Am 11.08.2017 um 09:40 schrieb Harald Dunkel via FreeIPA-users: - Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address. Chrome/Chromium expect SubjectAltName to be set in recent versions. There can be Multiple SubjectAltNames in each certificate. Have a look at the -D option of ipa-getcert request. Best regards, Bernhard ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Chromium complains about ipa's web server certificate
On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by > an external root CA. Problem: > > Even though I have imported the root CA and clicked on all the trust > checkboxes, chromium complains about the certificate of the web admin > interface running on https://ipa1.example.com/ : > > - Subject Alternative Name missing > The certificate for this site does not contain a Subject Alternative > Name extension containing a domain name or IP address. > - Certificate error > There are issues with the site's certificate chain > (net::ERR_CERT_COMMON_NAME_INVALID). > > The CN is "ipa1.example.com", matching the host name. The Subject > Alternative Name is > > Not Critical > Microsoft Principal Name: HTTP/ipa1.example@example.com > OID.1.3.6.1.5.2.2: 30 30 A0 0B 1B 09 41 49 58 49 47 4F 2E 44 45 A1 > 21 30 1F A0 03 02 01 01 A1 18 30 16 1B 04 48 54 > 54 50 1B 0E 69 70 61 31 2E 61 69 78 69 67 6F 2E > 64 65 > > I haven't seen this mentioned here, but Google provides some more > information: > > https://support.google.com/chrome/a/answer/7391219?hl=en > > How can I tell freeipa? > Hi Harald, Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new HTTP certificate with the appropriate DNS-NAME Subject Alt Name value(s). Use `getcert list` to find the REQUEST-ID to use; it will be the certificate in NSSDB `/etc/httpd/alias` with nickname `Server-Cert`. Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org