Hello IPA can sign certificate requests with subjectAltName (SAN) extensions. Use the 'ipa-getcert' command to resubmit the LDAP SSL certificate request(s), adding the '-D' option to specify the DNSNAME value for each of the VIPs:
First, on each IPA server, run 'ipa-getcert list' to find the Request ID for the back-end LDAP SSL certificate(s) (nickname='Server-Cert') that is being tracked: # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120717215052': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=rhonovo-ipa1.example.com,O=EXAMPLE.COM expires: 2014-07-18 21:50:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Using the Request ID from the above command, resubmit the request and add the FQDNs for the VIPs: # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1> But before that, you need to add vip.example.com in IPA first & add it as service. # ipa host-add vip.example.com # ipa service-add ldap/vip.example.com # ipa service-add-host ldap/vip.example.com --host `hostname` Now # ipa-getcert list # ipa-getcert resubmit -i 20120717215052 -D <VIP DNSName1> Regards Arpit Tolani On Mon, Jun 12, 2017 at 2:49 PM, ridha.zorgui--- via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > I set up a FreeIPA master and replica behind an elastic load balancer in AWS > cloud. FreeIPA Clients will be contacting the replica and the master sever > through the load balancer so the dns name used when configurting the clients > is the ELB CNAME. The problem is when retreiving data and during the > authentication, the SSL handshake fail as the certificate send back from the > master or replica has a hostname different than the one used in the sssd. so > the connection is terminated. There is a workaround which is the use > reqcert=allow but this b ring a security issue with a MITM attack. another > solution i found is the use SAN but i don't seem to make it right. any > thought on how to solve that will be very helpful. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- Thanks & Regards Arpit Tolani _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org