Hello Rob,
Thanks for chipping in!
> How do you have multiple environments/domains running if enrollment isn't
working?
Well, the project started just in one environment, and several clients were
enrolled. Then, my manager wanted me to include other environments as well, but
there were no network routes to them so I added a new network interface to the
FreeIPA servers for each new environment (2 more so far) and there's were I
haven't managed to enroll new clients.
> Why have production, staging, etc on the same IPA infrastructure?
There are several reasons, and although my first idea when I was asked to add
more environments was to deploy new IPA servers in a "remote" location, the
lack of resources we have right now and because the total amount of clients is
not that big, around 30 counting all environments, that gave me a hard time to
convince my manager to authorize the deployment of a new IPA infrastructure for
each environment.
> We need to know what version of IPA you are running. The capabilities
differ.
My bad, I forgot to add it. I'm using FreeIPA 4.6.4 from CentOS 7.6 (server and
clients), all software updated around three weeks ago:
- krb5 1.15.1-37
- ipa 4.6.4-10
- sssd 1.16.2-13
- httpd 2.4.6-89
- nss 3.36.0-7.1
> And what have you already done? In detail please.
So far, I encountered several errors while trying to enroll new clients, and I
was able to solve them by performing this actions in this particular order:
I have added a VirtualHost section in the /etc/httpd/conf.d/nss.conf file for
each network interface on each IPA server (I have 3 in total) to avoid the "301
moved permanently" error, something like this:
<VirtualHost 192.168.0.1:443> # I've changed the "_default_:443" value in order
to match the network addresses
ServerName ipa-server-01.ipa.mydomain.local
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel warn
NSSEngine on
NSSCipherSuite ... list of cipher suites
NSSProtocol TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
Include /etc/httpd/conf.d/ipa-pro-rewrite.conf
</VirtualHost>
Also, the /etc/httpd/conf.d/ipa-pro-rewrite.conf was added to match the rewrite
rules:
RewriteEngine on
RewriteRule ^/$ https://ipa-server-01.pro.mydomain.local/ipa/ui [L,NC,R=301]
RewriteCond %{HTTP_HOST} !^ipa-server-01.pro.mydomain.local$ [NC]
RewriteRule ^/ipa/(.*) http://ipa-server-01.pro.mydomain.local/ipa/$1
[L,R=301]
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
RewriteRule ^/ipa/(.*) https://ipa-server-01.pro.mydomain.local/ipa/$1
[L,R=301,NC]
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT]
Then, I had to add a new principal alias for each IPA server, like this:
ldap/ipa-server-01.pro.mydomain.local@IPA.MYDOMAIN.LOCAL in order to solve the
following error:
trying to retrieve CA cert via LDAP from ipa-server-01.pro.mydomain.local
get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server ldap/ipa-server-01.pro.mydomain.local@IPA.MYDOMAIN.LOCAL not found in
Kerberos database)
And then I've found the "Unable to communicate securely with peer: requested
domain name does not match the
server's certificate" error mentioned in my post when trying to enroll new
servers. Here is where I'm stuck so far.
I also added a DNS zone (forward and reverse) for the new environment, in this
case "pro.mydomain.local." and "0.168.192.in-addr.arpa."
I hope this will give you enough information to get around this issue.
Thanks in advance for you time and help, regards...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
