Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when
FreeIPA software will be updated is this SAN configuration will be persistent?
Is it possible that LDAP certificate request can be changed (deleted and re-created for
exemple) during FreeIPA upgrade processus?
BR,
----- Original Message -----
From: "Fraser Tweedale" <ftweedal(a)redhat.com>
To: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
Cc: "David Goudet" <david.goudet(a)lyra-network.com>
Sent: Monday, July 10, 2017 4:28:55 AM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am
configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service
LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required
Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02
and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake
failed.
nssdb certificate request:
Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: xxxx
subject: CN=ds02.xxxx
expires: 2019-03-24 13:33:31 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
track: yes
auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it
recommended/supported? When FreeIPA software will be updated is this SAN configuration
will be persistent?
What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the
configuration so you only need to do this once.
Cheers,
Fraser
Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574