Hello, You are right! It worked.
Thank you very much. Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud <f...@redhat.com> Sent: Friday, January 10, 2020 16:33 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Christian Heimes <chei...@redhat.com> Cc: SOLER SANGUESA Miguel <sol...@unicc.org> Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: > [root@client01 ~]# rpm -qa openldap > openldap-2.4.46-10.el8.x86_64 > > [root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n > Server-Cert > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 268370363 (0xfff01bb) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" > Validity: > Not Before: Fri Feb 16 21:18:08 2018 > Not After : Mon Feb 17 21:18:08 2020 > Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: > 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: > ... > 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 74:...:63: > c1:37:5b:e9 > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: > "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa-ca.ipa.domain.org%2Fca%2Focsp&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&sdata=arWUGijmT70YJRCudab7s7mXjzpW1%2BKUnMt%2FfhgctVc%3D&reserved=0"; > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: CRL Distribution Points > Distribution point: > URI: > "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa-ca.ipa.domain.org%2Fipa%2Fcrl%2FMasterCRL.bin&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&sdata=CCV49RQ8VghhJSedgltyNB%2F39hX7i1GlZflO%2BE91BYc%3D&reserved=0"; > CRL issuer: > Directory Name: "CN=Certificate Authority,O=ipaca" > > Name: Certificate Subject Key ID > Data: > b4:...:60: > 71:ef:da:b7 > > Name: Certificate Subject Alt Name > Other Name: "ldap/server2.ipa.domain....@ipa.domain.org" > OID: Microsoft NT Principal Name Bingo, I think we found the issue. Please see https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1781799%23c11&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&sdata=RLd7w3mFPOwNHQTDBhF30oHc6qVMAz0r1jEe5UJzDGE%3D&reserved=0. You can try to replace your LDAP server cert with a certificate containing the hostname in the Subject Alt Name extension. On the server: (backup the /etc/dirsrv/slapd NSS database first) getcert list -d /etc/dirsrv/slapd-<DOMAIN> Note the tracking id getcert resubmit -i <id> -D `hostname` This will renew the server cert with a new cert having the additional SAN extension containing the hostname. After that, retry the client install, crossing my fingers but this should succeed. flo > Other Name: Sequence { > [0]: { > 1b:0d:4....:52:47 > } > [1]: { > Sequence { > [0]: { > 1 (0x1) > } > [1]: { > Sequence { > 1b:04:...:70 > 1b:17:....32:2e:69:70:61: > 2e:75:.....6f:72:67 > } > } > } > } > } > OID: OID.1.3.6.1.5.2.2 > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e: > ... > 88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13 > Fingerprint (SHA-256): > F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2 > Fingerprint (SHA1): > A6:32:14:.....46:4A:97:A0:67:A3 > > Mozilla-CA-Policy: false (attribute missing) > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > Thanks & Regards. > -----Original Message----- > From: Florence Blanc-Renaud <f...@redhat.com> > Sent: Friday, January 10, 2020 15:56 > To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Christian > Heimes <chei...@redhat.com> > Cc: SOLER SANGUESA Miguel <sol...@unicc.org> > Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client > > On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: >> Hello Christian, >> >> It is an standard installation. >> >> [root@server2 ~]# cat /proc/sys/crypto/fips_enabled >> 0 >> > Can you also check the following: > - which version of openldap is installed on the client: > rpm -qa openldap > > - does the LDAP server certificate contain SAN extensions: on the master > certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert > > flo > >> Thanks & Regards. >> >> -----Original Message----- >> From: Christian Heimes <chei...@redhat.com> >> Sent: Friday, January 10, 2020 13:13 >> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; >> Florence Blanc-Renaud <f...@redhat.com> >> Cc: SOLER SANGUESA Miguel <sol...@unicc.org> >> Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client >> >> On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote: >>> Seems that I have found the problem. It is TLSv1.3, I have tried to connect >>> with TLSv1.2 and connection was OK: >> Hi, >> >> is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? >> There have been known issues with FIPS mode, NSS (crypto library used by >> 389-DS), and TLS 1.3 in the past. >> >> I'm going to create a reproducer setup and try to come up with a workaround >> now. >> >> Christian >> >> -- >> Christian Heimes >> Principal Software Engineer, Identity Management and Platform Security >> >> Red Hat GmbH, >> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d >> e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 >> 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 >> 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& >> amp;reserved=0, Registered seat: Grasbrunn, Commercial register: >> Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, >> Laurie Krebs, Michael O'Neill, Thomas Savage >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs >> .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% >> 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 >> 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN >> 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 >> List Guidelines: >> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo >> raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole >> rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 >> ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ >> Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 >> List Archives: >> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist >> s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos >> ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 >> d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 >> 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re >> served=0 >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715911135&sdata=fE1Bv091JwW5UB0bQk1QyYkR1nXUk7b7X55%2FgmIlt3M%3D&reserved=0 > List Guidelines: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715911135&sdata=ecNIw5dCjMcs0QqBJSHWQbdAduKC262PWdegRDiJBc8%3D&reserved=0 > List Archives: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715911135&sdata=7sYCbspKS6ndTg55ctf6TcSGILL4DeEuL6fQ9ztn6Qo%3D&reserved=0 > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
