Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-28 Thread Matt .
Rob, I just saw your message on IRC from a couple of hours ago... timedifference ;) Thanks, Matt 2015-03-28 10:17 GMT+01:00 Matt . yamakasi@gmail.com: Rob, As I was responding a little bit late last night, the following come to mind. As you say I need to request my cert with two

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-28 Thread Matt .
Rob, As I was responding a little bit late last night, the following come to mind. As you say I need to request my cert with two names, how do you mean ? I'm using curl at the moment so figuring that out. As the same issues happens in the GUI itself I think this might be a problem. When I

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Matt .
I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Rob Crittenden
Matt . wrote: I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Matt .
Hi Rob, Thanks for the explanation. I understand your solution, I just thought that was the dirty way :) Thanks for your effort! Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: I'm almost there but what happens when I regenerate a certificate for

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? 2015-03-26 1:57 GMT+01:00 Matt .

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Rob Crittenden
Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
HI Rob, Yes something is wrong there I guess. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote:

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
Hi Rob, Thank you very much! I think this will work out as it's only https traffic. I will report back! Thanks a lot! Matt 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
Hi, This should be it and worked for generating the cert with the altname ldap.domain.tld When I login and I go to services I get the following: cannot connect to 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
OK some new update: When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a 301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my browser it just works fine. 2015-03-26 22:11 GMT+01:00 Matt .

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Rob Crittenden
Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-25 Thread Matt .
OK, quite clear but I think that is not going to help me, if you ask me, I might be wrong here as this is what I get: # wget https://ldap.mydomain.tld/ipa/json --2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250 Connecting to

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-20 Thread Rob Crittenden
Matt . wrote: The right way to sequest a SAN, this seems to need some extra config file ? Like I said before, use certmonger, it makes life easier. I'll create a new host balancer.example.com with a HTTP service. I'll generate a cert with a SAN for idp.example.com in that service. I'm

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Matt .
Isn't this documented well (yet) ? The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Matt .
The right way to sequest a SAN, this seems to need some extra config file ? 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here...

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Rob Crittenden
Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Rob Crittenden
Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Rob Crittenden
Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-08 Thread Matt .
I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how?

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-07 Thread Matt .
Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please?

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
I have 2 IPA servers where I kinit to and post to the api using curl/json. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 16:24, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Keytabs are used by Kerberos and MIT kerberos libraries fully

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again!

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Martin Kosek
On 03/06/2015 01:30 PM, Matt . wrote: Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi Martin, Thanks, I saw that ticket but didn't got to the wiki part yet. What I wonder in Step 6: 6. Request a signed certificate for the service and see the entry in Certmonger. In case you created a NSS database with a PIN (see the step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Simo Sorce
On Fri, 2015-03-06 at 16:24 +0100, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? What kind of load balancing ? An IPA server

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Dmitri Pal
On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Dmitri Pal
On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I