Hello everyone, I have 2 FreeIPA servers in AWS and a LB in front of them to serve the UI and the LDAP (just the gui and just the LDAP. For Kerberos, we use DNS discovery). My problem is that I cannot use TLS with LDAP connections because the CA does not have the LB's name in SAN.
Is there any way to **add** in the CA certificate the additional hostname?
I had a similar problem in Kubernetes. What I ended up doing was discovering the FQDN of the internal service address, then generating the external address to match that FQDN using a dotted (non-hierarchical) A record.
Don’t know if you can use that trick, but it might provide some ideas.
Sent from my iPhone
On Dec 17, 2018, at 21:21, Peter Tselios via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello everyone, I have 2 FreeIPA servers in AWS and a LB in front of them to serve the UI and the LDAP (just the gui and just the LDAP. For Kerberos, we use DNS discovery). My problem is that I cannot use TLS with LDAP connections because the CA does not have the LB's name in SAN.
Is there any way to **add** in the CA certificate the additional hostname? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
The FQDNs are known. But they are in a stupid format like a923y923jfaigf.subdomain.example.com and the LB is in the form ipaldap.example.com...
Hi Peter,
I see what you mean about not wanting to distribute a name like a923y923jfaigf. Kubernetes does this kind of thing as well with Pods (they look like “podname-a9c4f2", unless one uses a StatefulSet. Then the name looks like <ssname>-{0,1,2…}. So like “ss-0.servicename.namespace.clustername.example.com http://ss-0.subdomain.example.com/”. Which in the shortest case is like “dns-0.dns.dmz.c0.example.com http://dns.dmz.c0.example.com/”.
So what I did is add “dns-X.dns.dmz.c0” as a literal A record to example.com http://example.com/, one for each X. It works well and is performant.
On Dec 18, 2018, at 12:13 AM, Peter Tselios via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
The FQDNs are known. But they are in a stupid format like a923y923jfaigf.subdomain.example.com and the LB is in the form ipaldap.example.com... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 12/17/18 3:21 PM, Peter Tselios via FreeIPA-users wrote:
Hello everyone, I have 2 FreeIPA servers in AWS and a LB in front of them to serve the UI and the LDAP (just the gui and just the LDAP. For Kerberos, we use DNS discovery). My problem is that I cannot use TLS with LDAP connections because the CA does not have the LB's name in SAN.
Is there any way to **add** in the CA certificate the additional hostname?
Hi,
please have a look at the following email thread [1] which explains how to add an additional SAN in the LDAP server certificate. HTH, flo
[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org