Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed.
nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need?
Thank you for your help
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed.
nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the configuration so you only need to do this once.
Cheers, Fraser
Thank you for your help
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when FreeIPA software will be updated is this SAN configuration will be persistent? Is it possible that LDAP certificate request can be changed (deleted and re-created for exemple) during FreeIPA upgrade processus?
BR,
----- Original Message ----- From: "Fraser Tweedale" ftweedal@redhat.com To: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Cc: "David Goudet" david.goudet@lyra-network.com Sent: Monday, July 10, 2017 4:28:55 AM Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed.
nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the configuration so you only need to do this once.
Cheers, Fraser
Thank you for your help
On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote:
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when FreeIPA software will be updated is this SAN configuration will be persistent? Is it possible that LDAP certificate request can be changed (deleted and re-created for exemple) during FreeIPA upgrade processus?
Nope, FreeIPA won't change it on upgrade.
BR,
----- Original Message ----- From: "Fraser Tweedale" ftweedal@redhat.com To: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Cc: "David Goudet" david.goudet@lyra-network.com Sent: Monday, July 10, 2017 4:28:55 AM Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed.
nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the configuration so you only need to do this once.
Cheers, Fraser
Thank you for your help
-- David GOUDET
LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574
Ok, great.
I will do that (and monitor that additional SAN ldapha.xx is persistant after upgrade)
Thank you for your help
BR
----- Original Message ----- From: "Fraser Tweedale" ftweedal@redhat.com To: "David Goudet" david.goudet@lyra-network.com Cc: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Sent: Monday, July 10, 2017 11:25:56 PM Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote:
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when FreeIPA software will be updated is this SAN configuration will be persistent? Is it possible that LDAP certificate request can be changed (deleted and re-created for exemple) during FreeIPA upgrade processus?
Nope, FreeIPA won't change it on upgrade.
BR,
----- Original Message ----- From: "Fraser Tweedale" ftweedal@redhat.com To: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Cc: "David Goudet" david.goudet@lyra-network.com Sent: Monday, July 10, 2017 4:28:55 AM Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed.
nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the configuration so you only need to do this once.
Cheers, Fraser
Thank you for your help
-- David GOUDET
LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574
freeipa-users@lists.fedorahosted.org