Hi Everyone,
I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and have connected them to our main 389 DS cluster. They each have their own self-signed certificate, and replication is working well.
I now want to load-balance these 2 nodes under their own VIP/hostname: downtown.example.com. I have added our wildcard cert for *.example.com to each node's NSS cert DB in /etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.
However, querying the VIP's SSL, I see that the new node's self-signed cert is still presented instead of the wildcard:
$ echo | openssl s_client -connect downtown.example.com:636 CONNECTED(00000003) depth=1 CN = self-ca.example.com verify error:num=19:self signed certificate in certificate chain --- <server cert details redacted>
I thought that perhaps the node's own new1.example.com self-signed cert was taking precedence over the wildcard cert. But removing it resulted in:
$ echo | openssl s_client -connect downtown.example.com:636 socket: Bad file descriptor connect:errno=9
Would anyone be able to tell me how to achieve this correctly, or point me in the right/another direction?
Thanks a lot, Trev
On 27 Jul 2019, at 07:50, Fong, Trevor trevor.fong@ubc.ca wrote:
Hi Everyone,
I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and have connected them to our main 389 DS cluster. They each have their own self-signed certificate, and replication is working well.
I now want to load-balance these 2 nodes under their own VIP/hostname: downtown.example.com. I have added our wildcard cert for *.example.com to each node's NSS cert DB in /etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.
You have to remove the existing "server-cert" alias in NSS DB, and add your wildcard cert/key with the name "server-cert". You'll need to make a P12 bundle with the right alias and then import it.
https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_referenc...
Check the "importing certificates to NSS" section, and the "basic listing" section.
Hope that helps,
However, querying the VIP's SSL, I see that the new node's self-signed cert is still presented instead of the wildcard:
$ echo | openssl s_client -connect downtown.example.com:636 CONNECTED(00000003) depth=1 CN = self-ca.example.com verify error:num=19:self signed certificate in certificate chain
<server cert details redacted>
I thought that perhaps the node's own new1.example.com self-signed cert was taking precedence over the wildcard cert. But removing it resulted in:
$ echo | openssl s_client -connect downtown.example.com:636 socket: Bad file descriptor connect:errno=9
Would anyone be able to tell me how to achieve this correctly, or point me in the right/another direction?
Thanks a lot, Trev
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
Hi William,
Thanks very much for the clues. I finally got it to work by: 1. Importing the wildcard cert's CA cert chain (I did each issuer as separate entries, but it might work concatenated into 1 file?) certutil -A -d . -n "CA ExternalCARoot" -t "CT,," -i ExternalCARoot.crt certutil -A -d . -n "CA Intermediate_CA" -t "CT,," -i IntermediateCA.crt certutil -A -d . -n "CA StandardSSLCA" -t "CT,," -i StandardSSLCA.crt 2. Convert wildcard cert's key to PKCS #12 openssl pkcs12 -export -out star.example.com_key.pfx -inkey star.example.com.key -in star.example.com.crt -certfile StandardSSLCA2.crt 3. Import the wildcard cert's key pk12util -i star.example.com_key.pfx -d /etc/dirsrv/slapd-<instance>/ -W "password" 4. Find the name of the wildcard cert certutil -L -d . -f pwdfile.txt 5. Point 389 DS at the wildcard cert dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: *.example.com - CA 6. Restart 389 DS systemctl restart dirsrv.target
Thanks, Trev
On 2019-07-26, 5:49 PM, "William Brown" wbrown@suse.de wrote:
> On 27 Jul 2019, at 07:50, Fong, Trevor trevor.fong@ubc.ca wrote: > > Hi Everyone, > > I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and have connected them to our main 389 DS cluster. > They each have their own self-signed certificate, and replication is working well. > > I now want to load-balance these 2 nodes under their own VIP/hostname: downtown.example.com. > I have added our wildcard cert for *.example.com to each node's NSS cert DB in /etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.
You have to remove the existing "server-cert" alias in NSS DB, and add your wildcard cert/key with the name "server-cert". You'll need to make a P12 bundle with the right alias and then import it.
https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_referenc...
Check the "importing certificates to NSS" section, and the "basic listing" section.
Hope that helps,
> > However, querying the VIP's SSL, I see that the new node's self-signed cert is still presented instead of the wildcard: > > $ echo | openssl s_client -connect downtown.example.com:636 > CONNECTED(00000003) > depth=1 CN = self-ca.example.com > verify error:num=19:self signed certificate in certificate chain > --- > <server cert details redacted> > > I thought that perhaps the node's own new1.example.com self-signed cert was taking precedence over the wildcard cert. > But removing it resulted in: > > $ echo | openssl s_client -connect downtown.example.com:636 > socket: Bad file descriptor > connect:errno=9 > > > Would anyone be able to tell me how to achieve this correctly, or point me in the right/another direction? > > Thanks a lot, > Trev > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 30 Jul 2019, at 04:07, Fong, Trevor trevor.fong@ubc.ca wrote:
Hi William,
Thanks very much for the clues. I finally got it to work by:
- Importing the wildcard cert's CA cert chain (I did each issuer as separate entries, but it might work concatenated into 1 file?)
certutil -A -d . -n "CA ExternalCARoot" -t "CT,," -i ExternalCARoot.crt certutil -A -d . -n "CA Intermediate_CA" -t "CT,," -i IntermediateCA.crt certutil -A -d . -n "CA StandardSSLCA" -t "CT,," -i StandardSSLCA.crt 2. Convert wildcard cert's key to PKCS #12 openssl pkcs12 -export -out star.example.com_key.pfx -inkey star.example.com.key -in star.example.com.crt -certfile StandardSSLCA2.crt 3. Import the wildcard cert's key pk12util -i star.example.com_key.pfx -d /etc/dirsrv/slapd-<instance>/ -W "password" 4. Find the name of the wildcard cert certutil -L -d . -f pwdfile.txt 5. Point 389 DS at the wildcard cert dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: *.example.com - CA 6. Restart 389 DS systemctl restart dirsrv.target
In future versions, you'll need to restart the dirsrv@instance.service directly as dirsrv.target will be removed.
Otherwise, great to hear you got it working, and was happy to help you!
Thanks, Trev
On 2019-07-26, 5:49 PM, "William Brown" wbrown@suse.de wrote:
On 27 Jul 2019, at 07:50, Fong, Trevor trevor.fong@ubc.ca wrote:
Hi Everyone,
I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and have connected them to our main 389 DS cluster. They each have their own self-signed certificate, and replication is working well.
I now want to load-balance these 2 nodes under their own VIP/hostname: downtown.example.com. I have added our wildcard cert for *.example.com to each node's NSS cert DB in /etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.
You have to remove the existing "server-cert" alias in NSS DB, and add your wildcard cert/key with the name "server-cert". You'll need to make a P12 bundle with the right alias and then import it.
https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_referenc...
Check the "importing certificates to NSS" section, and the "basic listing" section.
Hope that helps,
However, querying the VIP's SSL, I see that the new node's self-signed cert is still presented instead of the wildcard:
$ echo | openssl s_client -connect downtown.example.com:636 CONNECTED(00000003) depth=1 CN = self-ca.example.com verify error:num=19:self signed certificate in certificate chain
<server cert details redacted>
I thought that perhaps the node's own new1.example.com self-signed cert was taking precedence over the wildcard cert. But removing it resulted in:
$ echo | openssl s_client -connect downtown.example.com:636 socket: Bad file descriptor connect:errno=9
Would anyone be able to tell me how to achieve this correctly, or point me in the right/another direction?
Thanks a lot, Trev
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
389-users@lists.fedoraproject.org