Hello Rob,
Thanks for chipping in!
How do you have multiple environments/domains running if enrollment
isn't working?
Well, the project started just in one environment, and several clients were enrolled.
Then, my manager wanted me to include other environments as well, but there were no
network routes to them so I added a new network interface to the FreeIPA servers for each
new environment (2 more so far) and there's were I haven't managed to enroll new
clients.
Why have production, staging, etc on the same IPA infrastructure?
There are several reasons, and although my first idea when I was asked to add more
environments was to deploy new IPA servers in a "remote" location, the lack of
resources we have right now and because the total amount of clients is not that big,
around 30 counting all environments, that gave me a hard time to convince my manager to
authorize the deployment of a new IPA infrastructure for each environment.
We need to know what version of IPA you are running. The capabilities
differ.
My bad, I forgot to add it. I'm using FreeIPA 4.6.4 from CentOS 7.6 (server and
clients), all software updated around three weeks ago:
- krb5 1.15.1-37
- ipa 4.6.4-10
- sssd 1.16.2-13
- httpd 2.4.6-89
- nss 3.36.0-7.1
And what have you already done? In detail please.
So far, I encountered several errors while trying to enroll new clients, and I was able to
solve them by performing this actions in this particular order:
I have added a VirtualHost section in the /etc/httpd/conf.d/nss.conf file for each network
interface on each IPA server (I have 3 in total) to avoid the "301 moved
permanently" error, something like this:
<VirtualHost 192.168.0.1:443> # I've changed the "_default_:443" value
in order to match the network addresses
ServerName ipa-server-01.ipa.mydomain.local
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel warn
NSSEngine on
NSSCipherSuite ... list of cipher suites
NSSProtocol TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
Include /etc/httpd/conf.d/ipa-pro-rewrite.conf
</VirtualHost>
Also, the /etc/httpd/conf.d/ipa-pro-rewrite.conf was added to match the rewrite rules:
RewriteEngine on
RewriteRule ^/$
https://ipa-server-01.pro.mydomain.local/ipa/ui [L,NC,R=301]
RewriteCond %{HTTP_HOST} !^ipa-server-01.pro.mydomain.local$ [NC]
RewriteRule ^/ipa/(.*)
http://ipa-server-01.pro.mydomain.local/ipa/$1 [L,R=301]
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
RewriteRule ^/ipa/(.*)
https://ipa-server-01.pro.mydomain.local/ipa/$1 [L,R=301,NC]
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT]
Then, I had to add a new principal alias for each IPA server, like this:
ldap/ipa-server-01.pro.mydomain.local(a)IPA.MYDOMAIN.LOCAL in order to solve the following
error:
trying to retrieve CA cert via LDAP from ipa-server-01.pro.mydomain.local
get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information (Server
ldap/ipa-server-01.pro.mydomain.local(a)IPA.MYDOMAIN.LOCAL not found in Kerberos database)
And then I've found the "Unable to communicate securely with peer: requested
domain name does not match the
server's certificate" error mentioned in my post when trying to enroll new
servers. Here is where I'm stuck so far.
I also added a DNS zone (forward and reverse) for the new environment, in this case
"pro.mydomain.local." and "0.168.192.in-addr.arpa."
I hope this will give you enough information to get around this issue.
Thanks in advance for you time and help, regards...