I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving data and during the authentication, the SSL handshake fail as the certificate send back from the master or replica has a hostname different than the one used in the sssd. so the connection is terminated. There is a workaround which is the use reqcert=allow but this b ring a security issue with a MITM attack. another solution i found is the use SAN but i don't seem to make it right. any thought on how to solve that will be very helpful.
Hello
IPA can sign certificate requests with subjectAltName (SAN) extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL certificate request(s), adding the '-D' option to specify the DNSNAME value for each of the VIPs:
First, on each IPA server, run 'ipa-getcert list' to find the Request ID for the back-end LDAP SSL certificate(s) (nickname='Server-Cert') that is being tracked:
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120717215052': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM expires: 2014-07-18 21:50:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Using the Request ID from the above command, resubmit the request and add the FQDNs for the VIPs:
# ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>
But before that, you need to add vip.example.com in IPA first & add it as service.
# ipa host-add vip.example.com # ipa service-add ldap/vip.example.com # ipa service-add-host ldap/vip.example.com --host `hostname`
Now
# ipa-getcert list # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving data and during the authentication, the SSL handshake fail as the certificate send back from the master or replica has a hostname different than the one used in the sssd. so the connection is terminated. There is a workaround which is the use reqcert=allow but this b ring a security issue with a MITM attack. another solution i found is the use SAN but i don't seem to make it right. any thought on how to solve that will be very helpful. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
BTW Now I think of it, why are you using Load balancert, Let SRV records take care of your IPA load balancing, Configure your clients to auto-discover IPA server using SRV records.
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:14 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
IPA can sign certificate requests with subjectAltName (SAN) extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL certificate request(s), adding the '-D' option to specify the DNSNAME value for each of the VIPs:
First, on each IPA server, run 'ipa-getcert list' to find theRequest ID for the back-end LDAP SSL certificate(s) (nickname='Server-Cert') that is being tracked:
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120717215052': status: MONITORING stuck: no key pair storage:type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM expires: 2014-07-18 21:50:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Using the Request ID from the above command, resubmit the requestand add the FQDNs for the VIPs:
# ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>But before that, you need to add vip.example.com in IPA first & add it as service.
# ipa host-add vip.example.com # ipa service-add ldap/vip.example.com # ipa service-add-host ldap/vip.example.com --host `hostname`
Now
# ipa-getcert list # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>Regards Arpit Tolani
On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving data and during the authentication, the SSL handshake fail as the certificate send back from the master or replica has a hostname different than the one used in the sssd. so the connection is terminated. There is a workaround which is the use reqcert=allow but this b ring a security issue with a MITM attack. another solution i found is the use SAN but i don't seem to make it right. any thought on how to solve that will be very helpful. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Thanks & Regards Arpit Tolani
Hi
Thank you for the reply, I will try what u described and see if this works. I didn't now about this 'SRV records' thing and i don't know if it will work as I am configuring my clients kinda manually without the client setup script.
Regards
________________________________ From: Arpit Tolani arpittolani@gmail.com Sent: Monday, June 12, 2017 12:48:40 PM To: FreeIPA users list Cc: Ridha Zorgui Subject: Re: [Freeipa-users] FreeIPA master and replica behind an Elastic load balancer
BTW Now I think of it, why are you using Load balancert, Let SRV records take care of your IPA load balancing, Configure your clients to auto-discover IPA server using SRV records.
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:14 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
IPA can sign certificate requests with subjectAltName (SAN) extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL certificate request(s), adding the '-D' option to specify the DNSNAME value for each of the VIPs:
First, on each IPA server, run 'ipa-getcert list' to find theRequest ID for the back-end LDAP SSL certificate(s) (nickname='Server-Cert') that is being tracked:
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120717215052': status: MONITORING stuck: no key pair storage:type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM expires: 2014-07-18 21:50:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Using the Request ID from the above command, resubmit the requestand add the FQDNs for the VIPs:
# ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>But before that, you need to add vip.example.com in IPA first & add it as service.
# ipa host-add vip.example.com # ipa service-add ldap/vip.example.com # ipa service-add-host ldap/vip.example.com --host `hostname`
Now
# ipa-getcert list # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>Regards Arpit Tolani
On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving data and during the authentication, the SSL handshake fail as the certificate send back from the master or replica has a hostname different than the one used in the sssd. so the connection is terminated. There is a workaround which is the use reqcert=allow but this b ring a security issue with a MITM attack. another solution i found is the use SAN but i don't seem to make it right. any thought on how to solve that will be very helpful. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Thanks & Regards Arpit Tolani
-- Thanks & Regards Arpit Tolani
Hi again
I have done the steps u mentioned but I get this error when i run ipa-getcert list
ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20170315172027': status: MONITORING ca-error: Server at https://freeipa.dev.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'freeipa-elb.us-east-1.elb.amazonaws.com'.).
I had already ran kinit admin
regards,
________________________________ From: Ridha Zorgui Sent: Monday, June 12, 2017 12:54:02 PM To: Arpit Tolani; FreeIPA users list Subject: Re: [Freeipa-users] FreeIPA master and replica behind an Elastic load balancer
Hi
Thank you for the reply, I will try what u described and see if this works. I didn't now about this 'SRV records' thing and i don't know if it will work as I am configuring my clients kinda manually without the client setup script.
Regards
________________________________ From: Arpit Tolani arpittolani@gmail.com Sent: Monday, June 12, 2017 12:48:40 PM To: FreeIPA users list Cc: Ridha Zorgui Subject: Re: [Freeipa-users] FreeIPA master and replica behind an Elastic load balancer
BTW Now I think of it, why are you using Load balancert, Let SRV records take care of your IPA load balancing, Configure your clients to auto-discover IPA server using SRV records.
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:14 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
IPA can sign certificate requests with subjectAltName (SAN) extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL certificate request(s), adding the '-D' option to specify the DNSNAME value for each of the VIPs:
First, on each IPA server, run 'ipa-getcert list' to find theRequest ID for the back-end LDAP SSL certificate(s) (nickname='Server-Cert') that is being tracked:
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120717215052': status: MONITORING stuck: no key pair storage:type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM expires: 2014-07-18 21:50:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Using the Request ID from the above command, resubmit the requestand add the FQDNs for the VIPs:
# ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>But before that, you need to add vip.example.com in IPA first & add it as service.
# ipa host-add vip.example.com # ipa service-add ldap/vip.example.com # ipa service-add-host ldap/vip.example.com --host `hostname`
Now
# ipa-getcert list # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>Regards Arpit Tolani
On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving data and during the authentication, the SSL handshake fail as the certificate send back from the master or replica has a hostname different than the one used in the sssd. so the connection is terminated. There is a workaround which is the use reqcert=allow but this b ring a security issue with a MITM attack. another solution i found is the use SAN but i don't seem to make it right. any thought on how to solve that will be very helpful. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Thanks & Regards Arpit Tolani
-- Thanks & Regards Arpit Tolani
freeipa-users@lists.fedorahosted.org
-
Arpit Tolani -
Ridha Zorgui -
ridha.zorgui@infor.com