On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
[root@client01 ~]# rpm -qa openldap
openldap-2.4.46-10.el8.x86_64
[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 268370363 (0xfff01bb)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG"
Validity:
Not Before: Fri Feb 16 21:18:08 2018
Not After : Mon Feb 17 21:18:08 2020
Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21:
7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc:
...
66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
74:...:63:
c1:37:5b:e9
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipa-ca.ipa.domain.org/ca/ocsp";
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Distribution point:
URI: "http://ipa-ca.ipa.domain.org/ipa/crl/MasterCRL.bin";
CRL issuer:
Directory Name: "CN=Certificate Authority,O=ipaca"
Name: Certificate Subject Key ID
Data:
b4:...:60:
71:ef:da:b7
Name: Certificate Subject Alt Name
Other Name: "ldap/server2.ipa.domain....@ipa.domain.org"
OID: Microsoft NT Principal Name
Bingo, I think we found the issue. Please see
https://bugzilla.redhat.com/show_bug.cgi?id=1781799#c11.
You can try to replace your LDAP server cert with a certificate
containing the hostname in the Subject Alt Name extension.
On the server:
(backup the /etc/dirsrv/slapd NSS database first)
getcert list -d /etc/dirsrv/slapd-<DOMAIN>
Note the tracking id
getcert resubmit -i <id> -D `hostname`
This will renew the server cert with a new cert having the additional
SAN extension containing the hostname.
After that, retry the client install, crossing my fingers but this
should succeed.
flo
Other Name: Sequence {
[0]: {
1b:0d:4....:52:47
}
[1]: {
Sequence {
[0]: {
1 (0x1)
}
[1]: {
Sequence {
1b:04:...:70
1b:17:....32:2e:69:70:61:
2e:75:.....6f:72:67
}
}
}
}
}
OID: OID.1.3.6.1.5.2.2
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e:
...
88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13
Fingerprint (SHA-256):
F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2
Fingerprint (SHA1):
A6:32:14:.....46:4A:97:A0:67:A3
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Thanks & Regards.
-----Original Message-----
From: Florence Blanc-Renaud <f...@redhat.com>
Sent: Friday, January 10, 2020 15:56
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Christian Heimes
<chei...@redhat.com>
Cc: SOLER SANGUESA Miguel <sol...@unicc.org>
Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello Christian,
It is an standard installation.
[root@server2 ~]# cat /proc/sys/crypto/fips_enabled
0
Can you also check the following:
- which version of openldap is installed on the client:
rpm -qa openldap
- does the LDAP server certificate contain SAN extensions: on the master certutil -L
-d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert
flo
Thanks & Regards.
-----Original Message-----
From: Christian Heimes <chei...@redhat.com>
Sent: Friday, January 10, 2020 13:13
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>;
Florence Blanc-Renaud <f...@redhat.com>
Cc: SOLER SANGUESA Miguel <sol...@unicc.org>
Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect
with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation?
There have been known issues with FIPS mode, NSS (crypto library used by
389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d
e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942
2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142
650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D&
amp;reserved=0, Registered seat: Grasbrunn, Commercial register:
Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera,
Laurie Krebs, Michael O'Neill, Thomas Savage
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5
739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN
498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0
List Guidelines:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole
rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593
ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ
Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0
List Archives:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos
ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808
d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921
1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re
served=0
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
