I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud.
FreeIPA Clients will be contacting the replica and the master sever through the load
balancer so the dns name used when configurting the clients is the ELB CNAME. The problem
is when retreiving ldap data and during the authentication, the SSL handshake fails as the
certificate sent back from the master or replica has a hostname different than the one
used in the sssd ( the ELB CNAME). so the connection is terminated. There is a workaround
which is the use reqcert=allow but this bring a security issue with a MITM attack. another
solution i found is the use SAN. I was able to add the ELB DNS as a SAN in freeipa servers
certificate. i made sure it is there by downloading the certificate and checking that the
elb san exist but when testing it the same problem remain. Please help.
New subject: using freeipa with an AWS elastic load balancer
So, my situation:
I have 2 FreeIPA servers in AWS.
I want want to load balance the WebUI (basically for the user's self-service). Not the
KDC, or LDAP or anything else, just the WebUI. Mainly because my hostnames are absolutely
horrible and extremely difficult to remember.
What I done so far is:
- Create an ALB in AWS pointing to the 2 instances.
- The ALB listens on port 80
- The ALB forwards traffic to port 443
It looks like it's OK for the moment, although I believe the best approach would be to
create a new certificate in the FreeIPA servers that would include the ALB hostname and
use HTTPS end to end. (but that's another story).