Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
I see. Generally the SAN thing I mentioned does the job but definitely not in your case. A IPA power user is needed here. On Tue, Jan 3, 2017 at 4:26 PM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > Maciej, > Thank you for the information. I am not terminating at a load > balancer. Originally, I was trying to use a Route53 DNS CNAME entry of > ipa.dev.crosschx.com but we found documentation that says the entry > should be an A record and not a CNAME. I then created an A record in > FreeIPA for ipa.dev.crosschx.com and pointed the A record to the IP > addresses of ipa-master.dev.crosschx.com and ipa-replica.dev.crosschx.com. > > I guess using the phrase load balancer may be a poor choice here as I am > using FreeIPA DNS as a way to load balance the traffic. > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614-741-5475 <(614)%20741-5475> > mike.plemm...@crosschx.com > www.crosschx.com > > On Tue, Jan 3, 2017 at 10:14 AM, Maciej Drobniuch > wrote: > >> Hello Mike, >> >> I don't know if I'm aligned with your problem, but generally I was facing >> a SAN cert issue too. >> >> Not sure if you're terminating SSL/TLS on the load balancer or not? >> >> Usually I do SAN certs in IPA via GUI/IdM. >> I am adding a service and hosts assigned to that service. >> >> Every host has an additional https service. >> >> Then I am simply pasting the SAN csr into the host that owns the main >> service and this creates a signed SAN cert that you can upload later to >> your LB. >> >> In simple words the service is assigned to all hosts but those hosts have >> also a service added(this is a hack). >> >> Hope that makes sense and helps solving your problem. >> >> BR >> >> On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons < >> michael.plemm...@crosschx.com> wrote: >> >>> I am trying to get FreeIPA LDAP to work when behind a load balancer and >>> using SSL and I do not understand how I am supposed to get the server to >>> use a certificate I created that has a SAN created. >>> >>> FreeIPA 4.4.0 on CentOS 7 >>> >>> Here is what I have: >>> ipa-master.dev.crosschx.com - master >>> ipa-replica.dev.crosschx.com - replica >>> ipa.dev.crosschx.com - load balancer DNS name which point to the master >>> and replica servers >>> >>> Here is what I have done. >>> ipa host-add ipa.dev.crosschx.com --random --force >>> >>> ipa service-add --force ldap/ipa.dev.crosschx.com >>> >>> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={ >>> ipa-master.dev.crosschx.com,ipa-replica.dev.crosschx.com} >>> >>> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com >>> --users=admin >>> >>> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN= >>> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com >>> -K ldap/ipa-master.dev.crosschx.com >>> >>> >>> I can see the certificate is being monitored by IPA when I run >>> ipa-getcert list but I am lost at the step to have this cert put into the >>> database so that IPA will properly respond when I try to connect over LDAPS. >>> >>> I was testing the connection with the following command and I see the >>> the ipa-master.dev cert being served. >>> >>> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername >>> ipa.dev.crosschx.com >>> >>> Can you point me to the documentation I need to follow? >>> >>> Thank you. >>> >>> >>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >>> 614-741-5475 <(614)%20741-5475> >>> mike.plemm...@crosschx.com >>> www.crosschx.com >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> -- >> Best regards >> >> Maciej Drobniuch >> Network Security Engineer >> Collective-Sense,LLC >> > > -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
Maciej, Thank you for the information. I am not terminating at a load balancer. Originally, I was trying to use a Route53 DNS CNAME entry of ipa.dev.crosschx.com but we found documentation that says the entry should be an A record and not a CNAME. I then created an A record in FreeIPA for ipa.dev.crosschx.com and pointed the A record to the IP addresses of ipa-master.dev.crosschx.com and ipa-replica.dev.crosschx.com. I guess using the phrase load balancer may be a poor choice here as I am using FreeIPA DNS as a way to load balance the traffic. *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614-741-5475 mike.plemm...@crosschx.com www.crosschx.com On Tue, Jan 3, 2017 at 10:14 AM, Maciej Drobniuch wrote: > Hello Mike, > > I don't know if I'm aligned with your problem, but generally I was facing > a SAN cert issue too. > > Not sure if you're terminating SSL/TLS on the load balancer or not? > > Usually I do SAN certs in IPA via GUI/IdM. > I am adding a service and hosts assigned to that service. > > Every host has an additional https service. > > Then I am simply pasting the SAN csr into the host that owns the main > service and this creates a signed SAN cert that you can upload later to > your LB. > > In simple words the service is assigned to all hosts but those hosts have > also a service added(this is a hack). > > Hope that makes sense and helps solving your problem. > > BR > > On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons < > michael.plemm...@crosschx.com> wrote: > >> I am trying to get FreeIPA LDAP to work when behind a load balancer and >> using SSL and I do not understand how I am supposed to get the server to >> use a certificate I created that has a SAN created. >> >> FreeIPA 4.4.0 on CentOS 7 >> >> Here is what I have: >> ipa-master.dev.crosschx.com - master >> ipa-replica.dev.crosschx.com - replica >> ipa.dev.crosschx.com - load balancer DNS name which point to the master >> and replica servers >> >> Here is what I have done. >> ipa host-add ipa.dev.crosschx.com --random --force >> >> ipa service-add --force ldap/ipa.dev.crosschx.com >> >> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={ >> ipa-master.dev.crosschx.com,ipa-replica.dev.crosschx.com} >> >> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin >> >> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN= >> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com >> -K ldap/ipa-master.dev.crosschx.com >> >> >> I can see the certificate is being monitored by IPA when I run >> ipa-getcert list but I am lost at the step to have this cert put into the >> database so that IPA will properly respond when I try to connect over LDAPS. >> >> I was testing the connection with the following command and I see the the >> ipa-master.dev cert being served. >> >> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername >> ipa.dev.crosschx.com >> >> Can you point me to the documentation I need to follow? >> >> Thank you. >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >> 614-741-5475 <(614)%20741-5475> >> mike.plemm...@crosschx.com >> www.crosschx.com >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > -- > Best regards > > Maciej Drobniuch > Network Security Engineer > Collective-Sense,LLC > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
Hello Mike, I don't know if I'm aligned with your problem, but generally I was facing a SAN cert issue too. Not sure if you're terminating SSL/TLS on the load balancer or not? Usually I do SAN certs in IPA via GUI/IdM. I am adding a service and hosts assigned to that service. Every host has an additional https service. Then I am simply pasting the SAN csr into the host that owns the main service and this creates a signed SAN cert that you can upload later to your LB. In simple words the service is assigned to all hosts but those hosts have also a service added(this is a hack). Hope that makes sense and helps solving your problem. BR On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > I am trying to get FreeIPA LDAP to work when behind a load balancer and > using SSL and I do not understand how I am supposed to get the server to > use a certificate I created that has a SAN created. > > FreeIPA 4.4.0 on CentOS 7 > > Here is what I have: > ipa-master.dev.crosschx.com - master > ipa-replica.dev.crosschx.com - replica > ipa.dev.crosschx.com - load balancer DNS name which point to the master > and replica servers > > Here is what I have done. > ipa host-add ipa.dev.crosschx.com --random --force > > ipa service-add --force ldap/ipa.dev.crosschx.com > > ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={ipa-master.dev. > crosschx.com,ipa-replica.dev.crosschx.com} > > ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin > > ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN= > ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com > -K ldap/ipa-master.dev.crosschx.com > > > I can see the certificate is being monitored by IPA when I run ipa-getcert > list but I am lost at the step to have this cert put into the database so > that IPA will properly respond when I try to connect over LDAPS. > > I was testing the connection with the following command and I see the the > ipa-master.dev cert being served. > > openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername > ipa.dev.crosschx.com > > Can you point me to the documentation I need to follow? > > Thank you. > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614-741-5475 <(614)%20741-5475> > mike.plemm...@crosschx.com > www.crosschx.com > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project