[Freeipa-users] Re: FreeIPA master and replica behind an Elastic load balancer

Mon, 12 Jun 2017 03:45:51 -0700 

Hello

IPA can sign certificate requests with subjectAltName (SAN)
extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL
certificate request(s), adding the '-D' option to specify the DNSNAME
value for each of the VIPs:

    First, on each IPA server, run 'ipa-getcert list' to find the
Request ID for the back-end LDAP SSL certificate(s)
(nickname='Server-Cert') that is being tracked:

    # ipa-getcert list
    Number of certificates and requests being tracked: 8.
    Request ID '20120717215052':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM
        expires: 2014-07-18 21:50:52 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

    Using the Request ID from the above command, resubmit the request
and add the FQDNs for the VIPs:

    # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>

But before that, you need to add vip.example.com in IPA first & add it
as service.

# ipa host-add vip.example.com
# ipa service-add ldap/vip.example.com
# ipa service-add-host ldap/vip.example.com --host `hostname`

Now

    # ipa-getcert list
    # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1>

Regards
Arpit Tolani

On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> I set up a FreeIPA master and replica behind an elastic load balancer in AWS 
> cloud. FreeIPA Clients will be contacting the replica and the master sever 
> through the load balancer so the dns name used when configurting the clients 
> is the ELB CNAME. The problem is when retreiving data and during the 
> authentication, the SSL handshake fail as the certificate send back from the 
> master or replica has a hostname different than the one used in the sssd. so 
> the connection is terminated.  There is a workaround which is the use 
> reqcert=allow but this b ring a security issue with a MITM attack. another 
> solution i found is the use SAN but i don't seem to make it right. any 
> thought on how to solve that will be very helpful.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



-- 
Thanks & Regards
Arpit Tolani
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to