I should have thought of this sooner, but it appears I can fake it out with an entry in the dr-cas hosts file to point ldap.example.edu to the IP for dr-ldap.example.edu.
On Mon, Oct 4, 2021 at 9:25 AM Carl Waldbieser <[email protected]> wrote: > Well, you'd need to at least update all the DR certs in use. The > production service certs could be left alone until they expire, but you'd > probably want to eventually consolidate those. > > You can probably get ldaptive to ignore the hostname verification when > your DR CAS client instance queries your DR LDAP service, but you could > just configure it to use the DR LDAP service's current name if you just > wanted to quickly verify the service starts up. Presumably the DR DNS name > will still be around during a fail over? > > Thanks, > Carl Waldbieser > ITS > Lafayette College > > On Mon, Oct 4, 2021 at 2:53 PM Baron Fujimoto <[email protected]> wrote: > >> Hmm, maybe? But then wouldn't we have to update all the certs in use? I >> was hoping for something we could just enable temporarily that would allow >> us to test sufficiently to give us enough confidence that it generally >> works as expected. >> >> On Mon, Oct 4, 2021 at 8:17 AM Carl Waldbieser <[email protected]> >> wrote: >> >>> Baron, >>> >>> Couldn't you just put a subject alternative names on the certificate to >>> include both the DR name and the production service name? >>> >>> Thanks, >>> Carl Waldbieser >>> ITS >>> Lafayette College >>> >>> On Mon, Oct 4, 2021 at 2:01 PM Baron Fujimoto <[email protected]> wrote: >>> >>>> This isn't strictly a CAS issue, but we're encountering it trying to >>>> test CAS so I'm hoping someone may be able to offer suggestions. >>>> >>>> We have a disaster recovery (DR) instance of our login stack that >>>> includes CAS (which uses a DR instance of LDAP). These instances have >>>> hostnames that follow a convention something like, dr-cas.example.edu >>>> and dr-ldap.example.edu. However, they use TLS certificates that use >>>> the non dr- versions of their hostnames, e,g, cas.example.edu and >>>> ldap.example.edu. The idea being that in the event we actually need to >>>> make use of the DR instance of the CAS/LDAP login stack, DNS changes would >>>> point cas.example.edu to dr-cas.example.edu, and ldap.example.edu to >>>> dr-example.edu. >>>> >>>> This presents a challenge though to test the DR instance of our login >>>> stack without making the aforementioned DNS changes. >>>> >>>> When CAS is started, it throws an exception: >>>> >>>> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname >>>> verification failed for dr-ldap.example.edu using >>>> [org.ldaptive.ssl.HostnameVerifierAdapter@20. >>>> ..63::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@41. >>>> ..82] >>>> >>>> Is there a way to get CAS to temporarily disable or ignore hostname >>>> verification via a property or Java option so that we can confirm things >>>> are otherwise working as expected? Any suggestions would be appreciated. >>>> -- >>>> Baron Fujimoto <[email protected]> :: UH Information Technology Services >>>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL16hZqpddPZv2q4-q6JeC1xEK7FpDS_c8SUJnyt0i84EA%40mail.gmail.com >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL16hZqpddPZv2q4-q6JeC1xEK7FpDS_c8SUJnyt0i84EA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPiQvbGxEprZ%3DEFaS3h_3Ohy%2BV53vL-BxqqyFO%2Bzs1pMQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPiQvbGxEprZ%3DEFaS3h_3Ohy%2BV53vL-BxqqyFO%2Bzs1pMQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Baron Fujimoto <[email protected]> :: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3SP%3DNzi1DYMhn-%2BgN2AQpUzDqqvWLg%2BKC4Cu%2BCM9qFuQ%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3SP%3DNzi1DYMhn-%2BgN2AQpUzDqqvWLg%2BKC4Cu%2BCM9qFuQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPvtvUxxFzJnhZtO2em5N6JGNzPOr4TKQ6pc8BTz002Dw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPvtvUxxFzJnhZtO2em5N6JGNzPOr4TKQ6pc8BTz002Dw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Baron Fujimoto <[email protected]> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2i7V3MT5_n_8hxjW7pXFkg-hpAXMYpqnce_426Om8Sug%40mail.gmail.com.
