Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate
On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add more virtual hosts to the > same Apache instance (yes, I know this is not advised but budgetary > constraints are at play here). > > How do I go about that? Do I want to resubmit the certificate > request > with some -D alt.name1 -D alt.name2, etc. parameters as such: > > # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 > > Is that the correct operation? If so, is there anything more I need > to > do after that? Nobody knows? I would have thought that this would be one of the easier routines in IPA certificate handling, no? Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate
On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote: > BTW, there was related thread on freeipa-users in the past, with some > links to > related information: > > https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html So this writeup seems to ignore the fact that Apache and the certificate store have already been established with mod_nss by the time you are finished a FreeIPA installation and does nothing about that in consideration of the fact that mod_nss and mod_ssl are mutually exclusive (AFAIU) for a single port. But yeah. I did consider ditching mod_nss and replacing it with mod_ssl but that seems like quite an extensive disruption to the default FreeIPA Apache configuration. In my experience, the further you get out of the box with integration projects like FreeIPA, the more fragile things are for future upgrading. > I assume the only change since then is that FreeIPA now supports > proper SAN > extension. Indeed, which seems to provide for a cleaner hack. It leaves the Apache configuration for FreeIPA intact and makes the future reversion, when mod_nss properly supports SNI easier. Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate
On 09/15/2015 12:35 PM, Brian J. Murrell wrote: > On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: >> Due to the bug in mod_nss that prevents SNI from functioning (i.e. >> limits a port to a single certificate) I need to add SANs >> (SubjectAltName) to the certificate that freeipa created for the >> webserver (Server-Cert) so that I can add more virtual hosts to the >> same Apache instance (yes, I know this is not advised but budgetary >> constraints are at play here). >> >> How do I go about that? Do I want to resubmit the certificate >> request >> with some -D alt.name1 -D alt.name2, etc. parameters as such: >> >> # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 >> >> Is that the correct operation? If so, is there anything more I need >> to >> do after that? > > Nobody knows? I would have thought that this would be one of the > easier routines in IPA certificate handling, no? BTW, there was related thread on freeipa-users in the past, with some links to related information: https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html I assume the only change since then is that FreeIPA now supports proper SAN extension. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate
On Mon, 2015-09-14 at 08:28 +0200, Martin Kosek wrote: > Hello, Hi, > It is the right way to do it AFAIK, Indeed, no. It's a hack around the lack of SNI support in mod_nss. > however it would only work with FreeIPA 4.0 > or older: > > https://fedorahosted.org/freeipa/ticket/3977 That's right. I don't even know what the workaround would be for older than FreeIPA 4.0. Probably the only choice left there is to run the additional virtual hosts on a port other than 443. But that's an even uglier hack as it's user-facing. > Speaking in RHEL/CentOS versions, this is 7.1 or older. My 7.1 has FreeIPA 4.1. Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate
On 09/12/2015 02:57 PM, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add more virtual hosts to the > same Apache instance (yes, I know this is not advised but budgetary > constraints are at play here). > > How do I go about that? Do I want to resubmit the certificate request > with some -D alt.name1 -D alt.name2, etc. parameters as such: > > # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 > > Is that the correct operation? If so, is there anything more I need to > do after that? > > Cheers, > b. Hello, It is the right way to do it AFAIK, however it would only work with FreeIPA 4.0 or older: https://fedorahosted.org/freeipa/ticket/3977 Speaking in RHEL/CentOS versions, this is 7.1 or older. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] add SubjectAltName (SAN) to IPA certificate
Due to the bug in mod_nss that prevents SNI from functioning (i.e. limits a port to a single certificate) I need to add SANs (SubjectAltName) to the certificate that freeipa created for the webserver (Server-Cert) so that I can add more virtual hosts to the same Apache instance (yes, I know this is not advised but budgetary constraints are at play here). How do I go about that? Do I want to resubmit the certificate request with some -D alt.name1 -D alt.name2, etc. parameters as such: # ipa-getcert resubmit -i -D alt.name1 -D alt.name2 Is that the correct operation? If so, is there anything more I need to do after that? Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project