Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
I see.
Generally the SAN thing I mentioned does the job but definitely not in your
case.
A IPA power user is needed here.
On Tue, Jan 3, 2017 at 4:26 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> Maciej,
> Thank you for the information. I am not terminating at a load
> balancer. Originally, I was trying to use a Route53 DNS CNAME entry of
> ipa.dev.crosschx.com but we found documentation that says the entry
> should be an A record and not a CNAME. I then created an A record in
> FreeIPA for ipa.dev.crosschx.com and pointed the A record to the IP
> addresses of ipa-master.dev.crosschx.com and ipa-replica.dev.crosschx.com.
>
> I guess using the phrase load balancer may be a poor choice here as I am
> using FreeIPA DNS as a way to load balance the traffic.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614-741-5475 <(614)%20741-5475>
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> On Tue, Jan 3, 2017 at 10:14 AM, Maciej Drobniuch > wrote:
>
>> Hello Mike,
>>
>> I don't know if I'm aligned with your problem, but generally I was facing
>> a SAN cert issue too.
>>
>> Not sure if you're terminating SSL/TLS on the load balancer or not?
>>
>> Usually I do SAN certs in IPA via GUI/IdM.
>> I am adding a service and hosts assigned to that service.
>>
>> Every host has an additional https service.
>>
>> Then I am simply pasting the SAN csr into the host that owns the main
>> service and this creates a signed SAN cert that you can upload later to
>> your LB.
>>
>> In simple words the service is assigned to all hosts but those hosts have
>> also a service added(this is a hack).
>>
>> Hope that makes sense and helps solving your problem.
>>
>> BR
>>
>> On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
>> michael.plemm...@crosschx.com> wrote:
>>
>>> I am trying to get FreeIPA LDAP to work when behind a load balancer and
>>> using SSL and I do not understand how I am supposed to get the server to
>>> use a certificate I created that has a SAN created.
>>>
>>> FreeIPA 4.4.0 on CentOS 7
>>>
>>> Here is what I have:
>>> ipa-master.dev.crosschx.com - master
>>> ipa-replica.dev.crosschx.com - replica
>>> ipa.dev.crosschx.com - load balancer DNS name which point to the master
>>> and replica servers
>>>
>>> Here is what I have done.
>>> ipa host-add ipa.dev.crosschx.com --random --force
>>>
>>> ipa service-add --force ldap/ipa.dev.crosschx.com
>>>
>>> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={
>>> ipa-master.dev.crosschx.com,ipa-replica.dev.crosschx.com}
>>>
>>> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com
>>> --users=admin
>>>
>>> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
>>> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
>>> -K ldap/ipa-master.dev.crosschx.com
>>>
>>>
>>> I can see the certificate is being monitored by IPA when I run
>>> ipa-getcert list but I am lost at the step to have this cert put into the
>>> database so that IPA will properly respond when I try to connect over LDAPS.
>>>
>>> I was testing the connection with the following command and I see the
>>> the ipa-master.dev cert being served.
>>>
>>> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
>>> ipa.dev.crosschx.com
>>>
>>> Can you point me to the documentation I need to follow?
>>>
>>> Thank you.
>>>
>>>
>>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>>> 614-741-5475 <(614)%20741-5475>
>>> mike.plemm...@crosschx.com
>>> www.crosschx.com
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>> --
>> Best regards
>>
>> Maciej Drobniuch
>> Network Security Engineer
>> Collective-Sense,LLC
>>
>
>
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
Maciej,
Thank you for the information. I am not terminating at a load balancer.
Originally, I was trying to use a Route53 DNS CNAME entry of
ipa.dev.crosschx.com but we found documentation that says the entry should
be an A record and not a CNAME. I then created an A record in FreeIPA for
ipa.dev.crosschx.com and pointed the A record to the IP addresses of
ipa-master.dev.crosschx.com and ipa-replica.dev.crosschx.com.
I guess using the phrase load balancer may be a poor choice here as I am
using FreeIPA DNS as a way to load balance the traffic.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614-741-5475
mike.plemm...@crosschx.com
www.crosschx.com
On Tue, Jan 3, 2017 at 10:14 AM, Maciej Drobniuch
wrote:
> Hello Mike,
>
> I don't know if I'm aligned with your problem, but generally I was facing
> a SAN cert issue too.
>
> Not sure if you're terminating SSL/TLS on the load balancer or not?
>
> Usually I do SAN certs in IPA via GUI/IdM.
> I am adding a service and hosts assigned to that service.
>
> Every host has an additional https service.
>
> Then I am simply pasting the SAN csr into the host that owns the main
> service and this creates a signed SAN cert that you can upload later to
> your LB.
>
> In simple words the service is assigned to all hosts but those hosts have
> also a service added(this is a hack).
>
> Hope that makes sense and helps solving your problem.
>
> BR
>
> On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
> michael.plemm...@crosschx.com> wrote:
>
>> I am trying to get FreeIPA LDAP to work when behind a load balancer and
>> using SSL and I do not understand how I am supposed to get the server to
>> use a certificate I created that has a SAN created.
>>
>> FreeIPA 4.4.0 on CentOS 7
>>
>> Here is what I have:
>> ipa-master.dev.crosschx.com - master
>> ipa-replica.dev.crosschx.com - replica
>> ipa.dev.crosschx.com - load balancer DNS name which point to the master
>> and replica servers
>>
>> Here is what I have done.
>> ipa host-add ipa.dev.crosschx.com --random --force
>>
>> ipa service-add --force ldap/ipa.dev.crosschx.com
>>
>> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={
>> ipa-master.dev.crosschx.com,ipa-replica.dev.crosschx.com}
>>
>> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin
>>
>> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
>> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
>> -K ldap/ipa-master.dev.crosschx.com
>>
>>
>> I can see the certificate is being monitored by IPA when I run
>> ipa-getcert list but I am lost at the step to have this cert put into the
>> database so that IPA will properly respond when I try to connect over LDAPS.
>>
>> I was testing the connection with the following command and I see the the
>> ipa-master.dev cert being served.
>>
>> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
>> ipa.dev.crosschx.com
>>
>> Can you point me to the documentation I need to follow?
>>
>> Thank you.
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>> 614-741-5475 <(614)%20741-5475>
>> mike.plemm...@crosschx.com
>> www.crosschx.com
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
> Best regards
>
> Maciej Drobniuch
> Network Security Engineer
> Collective-Sense,LLC
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
Hello Mike,
I don't know if I'm aligned with your problem, but generally I was facing a
SAN cert issue too.
Not sure if you're terminating SSL/TLS on the load balancer or not?
Usually I do SAN certs in IPA via GUI/IdM.
I am adding a service and hosts assigned to that service.
Every host has an additional https service.
Then I am simply pasting the SAN csr into the host that owns the main
service and this creates a signed SAN cert that you can upload later to
your LB.
In simple words the service is assigned to all hosts but those hosts have
also a service added(this is a hack).
Hope that makes sense and helps solving your problem.
BR
On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> I am trying to get FreeIPA LDAP to work when behind a load balancer and
> using SSL and I do not understand how I am supposed to get the server to
> use a certificate I created that has a SAN created.
>
> FreeIPA 4.4.0 on CentOS 7
>
> Here is what I have:
> ipa-master.dev.crosschx.com - master
> ipa-replica.dev.crosschx.com - replica
> ipa.dev.crosschx.com - load balancer DNS name which point to the master
> and replica servers
>
> Here is what I have done.
> ipa host-add ipa.dev.crosschx.com --random --force
>
> ipa service-add --force ldap/ipa.dev.crosschx.com
>
> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={ipa-master.dev.
> crosschx.com,ipa-replica.dev.crosschx.com}
>
> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin
>
> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
> -K ldap/ipa-master.dev.crosschx.com
>
>
> I can see the certificate is being monitored by IPA when I run ipa-getcert
> list but I am lost at the step to have this cert put into the database so
> that IPA will properly respond when I try to connect over LDAPS.
>
> I was testing the connection with the following command and I see the the
> ipa-master.dev cert being served.
>
> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
> ipa.dev.crosschx.com
>
> Can you point me to the documentation I need to follow?
>
> Thank you.
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614-741-5475 <(614)%20741-5475>
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
