Hello, As described your certificate should be generated with altnames (SAN) to have all DNS names: hostname and alias ....
Best regards Le dim. 12 févr. 2023 à 08:49, Alberto Crescente < alberto.cresce...@pd.infn.it> a écrit : > Hi, I have 3 ldapservers in a multi-master setup for replication with > TLS. TLS is also used in the connection between servers and sssd clients. > > The hostnames of the nodes are server1, server2 and server3, so when I > configured the replication agreement I used these names: > > Ex: > > dsconf LDAP -D "cn=Directory Manager" repl-agmt create > --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 > --conn-protocol=LDAPS --bind-dn="cn=replication manager,cn=config" > --bind-passwd="secret" --bind-method=SIMPLE --init > agreement-server1-to-server2 > > I'd like to use dns aliases instead of server hostnames in the sssd.conf > file on the clients, so that I can replace a server with a new one by > simply changing the alias, without changing the configuration on the > clients. > > So I defined aliases auth1, auth2 and auth3 in DNS and used them in > sssd.conf on clients. > > With this configuration I have a problem with TLS certificates. If in > the certificate I set the CN equal to the hostname, the sssd clients > give the following error: "TLS: hostname does not match CN", while if I > set the CN equal to the alias name I get a mismatch error in the replica. > > Is there a solution to the problem? > > > Thanks, > > Alberto Crescente. > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue