Hi
We run separate IPA instances for different environments (rather than a single IPA setup
with multiple interfaces) - I suggest looking at that instead.
We also run different domain names across our environments: is it not just a case of
adding "--realm=BLAH" to your ipa-client-install command?
Regards
Angus
> On 23 July 2019 at 04:09 Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
> Raul Gomez via FreeIPA-users wrote:
> > Hello list,
> >
> > I'm facing a new issue here. My FreeIPA setup has several domains, one for
each different environments it provides authentication to, and listening on a different
network interface on the same servers for each environment (something like 192.168.0.0/24
for production, 192.168.2.0/24 for staging, and there is no route between these networks),
but of course there is just one realm.
> >
> > My issue here is, when I try to enroll new clients to the FreeIPA, the
installation is rejecting the server because it doesn't match the domain in the
certificate of the server. You can see the error message bellow:
> >
> > * About to connect() to ipa-server-03.pro.mydomain.local port 443 (#0)
> > * Trying 192.168.0.1...
> > * Connected to ipa-server-03.pro.mydomain.local (192.168.0.1) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > * CAfile: /etc/ipa/ca.crt
> > CApath: none
> > * Server certificate:
> > * subject: CN=ipa-server-03.ipa.mydomain.local,O=IPA.MYDOMAIN.LOCAL
> > * start date: Jun 14 22:11:30 2019 GMT
> > * expire date: Jun 14 22:11:30 2021 GMT
> > * common name: ipa-server-03.ipa.mydomain.local
> > * issuer: CN=Certificate Authority,O=IPA.MYDOMAIN.LOCAL
> > * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
> > * Unable to communicate securely with peer: requested domain name does not match
the server's certificate.
> > * Closing connection 0
> > libcurl failed to execute the HTTP POST transaction, explaining: Unable to
communicate securely with peer: requested domain name does not match the server's
certificate.
> >
> > This is the command I'm using to enroll the clients:
> >
> > ipa-client-install -v --enable-dns-updates --mkhomedir
--domain=pro.mydomain.local --hostname=client-1.pro.mydomain.local
> >
> > Why I'm forcing the --domain parameter? In order to enroll the clients with
the appropriate DNS zone for their respective domain.
> >
> > So, I've tried to add a new certificate in the httpd configuration, but I
see there are no certificates in plain text (PEM) format in the Apache configuration, but
instead it is using NSS for providing certificates (/etc/httpd/conf.d/nss.conf):
> >
> > NSSEngine on
> > NSSCipherSuite ... list of cipher suite
> > NSSProtocol TLSv1.2
> > NSSNickname Server-Cert
> > NSSCertificateDatabase /etc/httpd/alias
> >
> > And after all my explanation here, my question is: how can I add a new NSS
certificate for my IPA Servers with the CN in the appropriate doman?, in the example above
it would be CN=ipa-server-03.pro.mydomain.local. And probably I need to associate each
certificate with the corresponding IP address too
> >
> > I've already done it via web, but it seems it doesn't work, or I'm
probably missing something here. Could anyone point me in the right direction here?
> >
> > Thank you very much in advance for your time and help, regards...
>
> How do you have multiple environments/domains running if enrollment
> isn't working? Why have production, staging, etc on the same IPA
> infrastructure?
>
> We need to know what version of IPA you are running. The capabilities
> differ.
>
> And what have you already done? In detail please.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...