6:48 p.m.
Hello list,
I'm facing a new issue here. My FreeIPA setup has several domains, one for each
different environments it provides authentication to, and listening on a different network
interface on the same servers for each environment (something like 192.168.0.0/24 for
production, 192.168.2.0/24 for staging, and there is no route between these networks), but
of course there is just one realm.
My issue here is, when I try to enroll new clients to the FreeIPA, the installation is
rejecting the server because it doesn't match the domain in the certificate of the
server. You can see the error message bellow:
* About to connect() to ipa-server-03.pro.mydomain.local port 443 (#0)
* Trying 192.168.0.1...
* Connected to ipa-server-03.pro.mydomain.local (192.168.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=ipa-server-03.ipa.mydomain.local,O=IPA.MYDOMAIN.LOCAL
* start date: Jun 14 22:11:30 2019 GMT
* expire date: Jun 14 22:11:30 2021 GMT
* common name: ipa-server-03.ipa.mydomain.local
* issuer: CN=Certificate Authority,O=IPA.MYDOMAIN.LOCAL
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the
server's certificate.
* Closing connection 0
libcurl failed to execute the HTTP POST transaction, explaining: Unable to communicate
securely with peer: requested domain name does not match the server's certificate.
This is the command I'm using to enroll the clients:
ipa-client-install -v --enable-dns-updates --mkhomedir --domain=pro.mydomain.local
--hostname=client-1.pro.mydomain.local
Why I'm forcing the --domain parameter? In order to enroll the clients with the
appropriate DNS zone for their respective domain.
So, I've tried to add a new certificate in the httpd configuration, but I see there
are no certificates in plain text (PEM) format in the Apache configuration, but instead it
is using NSS for providing certificates (/etc/httpd/conf.d/nss.conf):
NSSEngine on
NSSCipherSuite ... list of cipher suite
NSSProtocol TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
And after all my explanation here, my question is: how can I add a new NSS certificate for
my IPA Servers with the CN in the appropriate doman?, in the example above it would be
CN=ipa-server-03.pro.mydomain.local. And probably I need to associate each certificate
with the corresponding IP address too
I've already done it via web, but it seems it doesn't work, or I'm probably
missing something here. Could anyone point me in the right direction here?
Thank you very much in advance for your time and help, regards...
9:09 p.m.
New subject: How can I add an additional certificate for a different domain name?
Raul Gomez via FreeIPA-users wrote:
Hello list,
I'm facing a new issue here. My FreeIPA setup has several domains, one for each
different environments it provides authentication to, and listening on a different network
interface on the same servers for each environment (something like 192.168.0.0/24 for
production, 192.168.2.0/24 for staging, and there is no route between these networks), but
of course there is just one realm.
My issue here is, when I try to enroll new clients to the FreeIPA, the installation is
rejecting the server because it doesn't match the domain in the certificate of the
server. You can see the error message bellow:
* About to connect() to ipa-server-03.pro.mydomain.local port 443 (#0)
* Trying 192.168.0.1...
* Connected to ipa-server-03.pro.mydomain.local (192.168.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=ipa-server-03.ipa.mydomain.local,O=IPA.MYDOMAIN.LOCAL
* start date: Jun 14 22:11:30 2019 GMT
* expire date: Jun 14 22:11:30 2021 GMT
* common name: ipa-server-03.ipa.mydomain.local
* issuer: CN=Certificate Authority,O=IPA.MYDOMAIN.LOCAL
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the
server's certificate.
* Closing connection 0
libcurl failed to execute the HTTP POST transaction, explaining: Unable to communicate
securely with peer: requested domain name does not match the server's certificate.
This is the command I'm using to enroll the clients:
ipa-client-install -v --enable-dns-updates --mkhomedir --domain=pro.mydomain.local
--hostname=client-1.pro.mydomain.local
Why I'm forcing the --domain parameter? In order to enroll the clients with the
appropriate DNS zone for their respective domain.
So, I've tried to add a new certificate in the httpd configuration, but I see there
are no certificates in plain text (PEM) format in the Apache configuration, but instead it
is using NSS for providing certificates (/etc/httpd/conf.d/nss.conf):
NSSEngine on
NSSCipherSuite ... list of cipher suite
NSSProtocol TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
And after all my explanation here, my question is: how can I add a new NSS certificate
for my IPA Servers with the CN in the appropriate doman?, in the example above it would be
CN=ipa-server-03.pro.mydomain.local. And probably I need to associate each certificate
with the corresponding IP address too
I've already done it via web, but it seems it doesn't work, or I'm probably
missing something here. Could anyone point me in the right direction here?
Thank you very much in advance for your time and help, regards...
How do you have multiple environments/domains running if enrollment
isn't working? Why have production, staging, etc on the same IPA
infrastructure?
We need to know what version of IPA you are running. The capabilities
differ.
And what have you already done? In detail please.
rob
2:30 a.m.
New subject: How can I add an additional certificate for a different domain name?
Hi
We run separate IPA instances for different environments (rather than a single IPA setup
with multiple interfaces) - I suggest looking at that instead.
We also run different domain names across our environments: is it not just a case of
adding "--realm=BLAH" to your ipa-client-install command?
Regards
Angus
> On 23 July 2019 at 04:09 Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
> Raul Gomez via FreeIPA-users wrote:
> > Hello list,
> >
> > I'm facing a new issue here. My FreeIPA setup has several domains, one for
each different environments it provides authentication to, and listening on a different
network interface on the same servers for each environment (something like 192.168.0.0/24
for production, 192.168.2.0/24 for staging, and there is no route between these networks),
but of course there is just one realm.
> >
> > My issue here is, when I try to enroll new clients to the FreeIPA, the
installation is rejecting the server because it doesn't match the domain in the
certificate of the server. You can see the error message bellow:
> >
> > * About to connect() to ipa-server-03.pro.mydomain.local port 443 (#0)
> > * Trying 192.168.0.1...
> > * Connected to ipa-server-03.pro.mydomain.local (192.168.0.1) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > * CAfile: /etc/ipa/ca.crt
> > CApath: none
> > * Server certificate:
> > * subject: CN=ipa-server-03.ipa.mydomain.local,O=IPA.MYDOMAIN.LOCAL
> > * start date: Jun 14 22:11:30 2019 GMT
> > * expire date: Jun 14 22:11:30 2021 GMT
> > * common name: ipa-server-03.ipa.mydomain.local
> > * issuer: CN=Certificate Authority,O=IPA.MYDOMAIN.LOCAL
> > * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
> > * Unable to communicate securely with peer: requested domain name does not match
the server's certificate.
> > * Closing connection 0
> > libcurl failed to execute the HTTP POST transaction, explaining: Unable to
communicate securely with peer: requested domain name does not match the server's
certificate.
> >
> > This is the command I'm using to enroll the clients:
> >
> > ipa-client-install -v --enable-dns-updates --mkhomedir
--domain=pro.mydomain.local --hostname=client-1.pro.mydomain.local
> >
> > Why I'm forcing the --domain parameter? In order to enroll the clients with
the appropriate DNS zone for their respective domain.
> >
> > So, I've tried to add a new certificate in the httpd configuration, but I
see there are no certificates in plain text (PEM) format in the Apache configuration, but
instead it is using NSS for providing certificates (/etc/httpd/conf.d/nss.conf):
> >
> > NSSEngine on
> > NSSCipherSuite ... list of cipher suite
> > NSSProtocol TLSv1.2
> > NSSNickname Server-Cert
> > NSSCertificateDatabase /etc/httpd/alias
> >
> > And after all my explanation here, my question is: how can I add a new NSS
certificate for my IPA Servers with the CN in the appropriate doman?, in the example above
it would be CN=ipa-server-03.pro.mydomain.local. And probably I need to associate each
certificate with the corresponding IP address too
> >
> > I've already done it via web, but it seems it doesn't work, or I'm
probably missing something here. Could anyone point me in the right direction here?
> >
> > Thank you very much in advance for your time and help, regards...
>
> How do you have multiple environments/domains running if enrollment
> isn't working? Why have production, staging, etc on the same IPA
> infrastructure?
>
> We need to know what version of IPA you are running. The capabilities
> differ.
>
> And what have you already done? In detail please.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
12:06 p.m.
New subject: How can I add an additional certificate for a different domain name?
Hello Rob,
Thanks for chipping in!
How do you have multiple environments/domains running if enrollment
isn't working?
Well, the project started just in one environment, and several clients were enrolled.
Then, my manager wanted me to include other environments as well, but there were no
network routes to them so I added a new network interface to the FreeIPA servers for each
new environment (2 more so far) and there's were I haven't managed to enroll new
clients.
Why have production, staging, etc on the same IPA infrastructure?
There are several reasons, and although my first idea when I was asked to add more
environments was to deploy new IPA servers in a "remote" location, the lack of
resources we have right now and because the total amount of clients is not that big,
around 30 counting all environments, that gave me a hard time to convince my manager to
authorize the deployment of a new IPA infrastructure for each environment.
We need to know what version of IPA you are running. The capabilities
differ.
My bad, I forgot to add it. I'm using FreeIPA 4.6.4 from CentOS 7.6 (server and
clients), all software updated around three weeks ago:
- krb5 1.15.1-37
- ipa 4.6.4-10
- sssd 1.16.2-13
- httpd 2.4.6-89
- nss 3.36.0-7.1
And what have you already done? In detail please.
So far, I encountered several errors while trying to enroll new clients, and I was able to
solve them by performing this actions in this particular order:
I have added a VirtualHost section in the /etc/httpd/conf.d/nss.conf file for each network
interface on each IPA server (I have 3 in total) to avoid the "301 moved
permanently" error, something like this:
<VirtualHost 192.168.0.1:443> # I've changed the "_default_:443" value
in order to match the network addresses
ServerName ipa-server-01.ipa.mydomain.local
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel warn
NSSEngine on
NSSCipherSuite ... list of cipher suites
NSSProtocol TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
Include /etc/httpd/conf.d/ipa-pro-rewrite.conf
</VirtualHost>
Also, the /etc/httpd/conf.d/ipa-pro-rewrite.conf was added to match the rewrite rules:
RewriteEngine on
RewriteRule ^/$ https://ipa-server-01.pro.mydomain.local/ipa/ui [L,NC,R=301]
RewriteCond %{HTTP_HOST} !^ipa-server-01.pro.mydomain.local$ [NC]
RewriteRule ^/ipa/(.*) http://ipa-server-01.pro.mydomain.local/ipa/$1 [L,R=301]
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
RewriteRule ^/ipa/(.*) https://ipa-server-01.pro.mydomain.local/ipa/$1 [L,R=301,NC]
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT]
Then, I had to add a new principal alias for each IPA server, like this:
ldap/ipa-server-01.pro.mydomain.local(a)IPA.MYDOMAIN.LOCAL in order to solve the following
error:
trying to retrieve CA cert via LDAP from ipa-server-01.pro.mydomain.local
get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information (Server
ldap/ipa-server-01.pro.mydomain.local(a)IPA.MYDOMAIN.LOCAL not found in Kerberos database)
And then I've found the "Unable to communicate securely with peer: requested
domain name does not match the
server's certificate" error mentioned in my post when trying to enroll new
servers. Here is where I'm stuck so far.
I also added a DNS zone (forward and reverse) for the new environment, in this case
"pro.mydomain.local." and "0.168.192.in-addr.arpa."
I hope this will give you enough information to get around this issue.
Thanks in advance for you time and help, regards...
2:47 a.m.
New subject: How can I add an additional certificate for a different domain name?
On ma, 22 heinä 2019, Raul Gomez via FreeIPA-users wrote:
This is the command I'm using to enroll the clients:
ipa-client-install -v --enable-dns-updates --mkhomedir --domain=pro.mydomain.local
--hostname=client-1.pro.mydomain.local
Why I'm forcing the --domain parameter? In order to enroll the clients
with the appropriate DNS zone for their respective domain.
This is wrong.
As ipa-client-install documentation says, --domain option points to the
primary IPA domain for this deployment. "Primary" means the one equal to
IPA Kerberos realm. The primary domain is the one that is used to create
a base DN in LDAP:
example.com -> dc=example,dc=com
You can deploy clients in other DNS domains without any problem but
you'd need to follow few rules so that auto-discovery would work, they
all covered in the man page for ipa-client-install, section 'DNS
autodiscovery'.
Once those machines deployed, they can ask for certificates using their
hostname and there will be no problem on issuing ones.
If you have systems that cannot directly communicate, make sure to
deploy masters in both segments and allow them communicating with each
other, then define IPA locations to make sure clients are preferring
their own location's servers. Make sure to include CA replicas too at
both locations. There are also few more nuances that you can see in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1738
days inactive
1739
days old
freeipa-users@lists.fedorahosted.org
4 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Angus Clarke -
Raul Gomez -
Rob Crittenden