On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote: > Hi, > > I am using FreeIPAv4, some of clients products does not support LDAP failover > so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream > fail-over. > I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA > service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry. > > Everything works as excepted except TLS certificate verification on client > side: required Hostname from client is ldapha.xxx, stream is load balanced by > KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not > include ldapha.xxx => TLS handshake failed. > > nssdb certificate request: > Request ID 'yyy': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: xxxx > subject: CN=ds02.xxxx > expires: 2019-03-24 13:33:31 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx > track: yes > auto-renew: yes > > ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx > > Add new SAN in default LDAP certificate in nssdb is possible with command > above but is it recommended/supported? When FreeIPA software will be updated > is this SAN configuration will be persistent? > What is the best/recommended solution to cover this need? > That is a valid approach. Certmonger will remember the configuration so you only need to do this once.
Cheers, Fraser > Thank you for your help _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
