FreeIPA ipa-client-install and missing subjectAltName

Updated at by

Running ipa-client-install might fail due to missing SubjectAltName (SAN) in the server certificates with the following error message.

Joining realm failed: Unable to initialize STARTTLS session
    Connect error: TLS: hostname does not match subjectAltName in peer certificate
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
    Connect error: TLS: hostname does not match subjectAltName in peer certificate

One possible reason for this is RHEL derivates dropping fallback to CN validation in openldap-2.4.46-10 leaving subjectAltName as only field used for hostname validation. You can check the SAN extension on the IPA server with openssl.

openssl s_client -showcerts -connect <YOUR-IPA-SERVER-IP/NAME>:636 </dev/null 2>/dev/null|openssl x509 -text -noout

And search for the X509v3 Subject Alternative Name section. If the section doesn't contain DNS: field with the hostname keep reading for a solution. :)

Why SAN is absent?

FreeIPA server certificate profiles are left untouched during updates and SAN was added to the default service profile in version 4.6.5. This means a pre 4.6.5 installation will keep churning out certificates without SAN extension. Two steps needed get IPA servers back on the TLS highway.

Update certificate profile

The default certificate profile for servers/services is caIPAserviceCert. So we'll export it with ipa-cli.

ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg

Add the new policy set commonNameToSANDefaultImpl to the caIPAserviceCert.cfg incrementing the set number.

policyset.serverCertSet.<NEXT_POLICYSET_NUMBER> Constraint
policyset.serverCertSet.<NEXT_POLICYSET_NUMBER> Common Name to Subject

Add the number to the policy set list.


And import the new profile to IPA.

ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.cfg

Reissue IPA server's own certificates

Default installation has two certificates monitered by certmonger, one for LDAP and one for HTTPD. Show the certificates with

ipa-getcert list

Which shows

Number of certificates and requests being tracked: 11.
Request ID '444555666':
  status: MONITORING
    stuck: no

And resubmit both certificates by ID

ipa-getcert resubmit -i 444555666

Post save hooks should handle restarting ldap and httpd services.

Source used and more information about the CN deprecation

Share on FacebookShare on Facebook Share on TwitterShare on Twitter

Leave a comment