Hi We run separate IPA instances for different environments (rather than a single IPA setup with multiple interfaces) - I suggest looking at that instead.
We also run different domain names across our environments: is it not just a case of adding "--realm=BLAH" to your ipa-client-install command? Regards Angus > On 23 July 2019 at 04:09 Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > > Raul Gomez via FreeIPA-users wrote: > > Hello list, > > > > I'm facing a new issue here. My FreeIPA setup has several domains, one for > > each different environments it provides authentication to, and listening on > > a different network interface on the same servers for each environment > > (something like 192.168.0.0/24 for production, 192.168.2.0/24 for staging, > > and there is no route between these networks), but of course there is just > > one realm. > > > > My issue here is, when I try to enroll new clients to the FreeIPA, the > > installation is rejecting the server because it doesn't match the domain in > > the certificate of the server. You can see the error message bellow: > > > > * About to connect() to ipa-server-03.pro.mydomain.local port 443 (#0) > > * Trying 192.168.0.1... > > * Connected to ipa-server-03.pro.mydomain.local (192.168.0.1) port 443 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * CAfile: /etc/ipa/ca.crt > > CApath: none > > * Server certificate: > > * subject: CN=ipa-server-03.ipa.mydomain.local,O=IPA.MYDOMAIN.LOCAL > > * start date: Jun 14 22:11:30 2019 GMT > > * expire date: Jun 14 22:11:30 2021 GMT > > * common name: ipa-server-03.ipa.mydomain.local > > * issuer: CN=Certificate Authority,O=IPA.MYDOMAIN.LOCAL > > * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) > > * Unable to communicate securely with peer: requested domain name does not > > match the server's certificate. > > * Closing connection 0 > > libcurl failed to execute the HTTP POST transaction, explaining: Unable to > > communicate securely with peer: requested domain name does not match the > > server's certificate. > > > > This is the command I'm using to enroll the clients: > > > > ipa-client-install -v --enable-dns-updates --mkhomedir > > --domain=pro.mydomain.local --hostname=client-1.pro.mydomain.local > > > > Why I'm forcing the --domain parameter? In order to enroll the clients with > > the appropriate DNS zone for their respective domain. > > > > So, I've tried to add a new certificate in the httpd configuration, but I > > see there are no certificates in plain text (PEM) format in the Apache > > configuration, but instead it is using NSS for providing certificates > > (/etc/httpd/conf.d/nss.conf): > > > > NSSEngine on > > NSSCipherSuite ... list of cipher suite > > NSSProtocol TLSv1.2 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/alias > > > > And after all my explanation here, my question is: how can I add a new NSS > > certificate for my IPA Servers with the CN in the appropriate doman?, in > > the example above it would be CN=ipa-server-03.pro.mydomain.local. And > > probably I need to associate each certificate with the corresponding IP > > address too > > > > I've already done it via web, but it seems it doesn't work, or I'm probably > > missing something here. Could anyone point me in the right direction here? > > > > Thank you very much in advance for your time and help, regards... > > How do you have multiple environments/domains running if enrollment > isn't working? Why have production, staging, etc on the same IPA > infrastructure? > > We need to know what version of IPA you are running. The capabilities > differ. > > And what have you already done? In detail please. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
