Ok, great.
I will do that (and monitor that additional SAN ldapha.xx is persistant after upgrade)
Thank you for your help
BR
----- Original Message -----
From: "Fraser Tweedale" <ftweedal(a)redhat.com>
To: "David Goudet" <david.goudet(a)lyra-network.com>
Cc: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, July 10, 2017 11:25:56 PM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote:
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when
FreeIPA software will be updated is this SAN configuration will be persistent?
Is it possible that LDAP certificate request can be changed (deleted and re-created for
exemple) during FreeIPA upgrade processus?
Nope, FreeIPA won't change it on upgrade.
BR,
----- Original Message -----
From: "Fraser Tweedale" <ftweedal(a)redhat.com>
To: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
Cc: "David Goudet" <david.goudet(a)lyra-network.com>
Sent: Monday, July 10, 2017 4:28:55 AM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
> Hi,
>
> I am using FreeIPAv4, some of clients products does not support LDAP failover so i
am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
> I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA
service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
>
> Everything works as excepted except TLS certificate verification on client side:
required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01
or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS
handshake failed.
>
> nssdb certificate request:
> Request ID 'yyy':
> status: MONITORING
> stuck: no
> key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
> CA: IPA
> issuer: xxxx
> subject: CN=ds02.xxxx
> expires: 2019-03-24 13:33:31 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
> track: yes
> auto-renew: yes
>
> ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
>
> Add new SAN in default LDAP certificate in nssdb is possible with command above but
is it recommended/supported? When FreeIPA software will be updated is this SAN
configuration will be persistent?
> What is the best/recommended solution to cover this need?
>
That is a valid approach. Certmonger will remember the
configuration so you only need to do this once.
Cheers,
Fraser
> Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574