FreeIPA ipa-client-install and missing subjectAltName
Updated at by ospiRunning ipa-client-install might fail due to missing SubjectAltName (SAN) in the server certificates with the following error message.
Joining realm failed: Unable to initialize STARTTLS session
Connect error: TLS: hostname does not match subjectAltName in peer certificate
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Connect error: TLS: hostname does not match subjectAltName in peer certificate
One possible reason for this is RHEL derivates dropping fallback to CN validation in openldap-2.4.46-10 leaving subjectAltName as only field used for hostname validation. You can check the SAN extension on the IPA server with openssl.
openssl s_client -showcerts -connect <YOUR-IPA-SERVER-IP/NAME>:636 </dev/null 2>/dev/null|openssl x509 -text -noout
And search for the X509v3 Subject Alternative Name section. If the section doesn't contain DNS: field with the hostname keep reading for a solution. :)
Why SAN is absent?
FreeIPA server certificate profiles are left untouched during updates and SAN was added to the default service profile in version 4.6.5. This means a pre 4.6.5 installation will keep churning out certificates without SAN extension. Two steps needed get IPA servers back on the TLS highway.
Update certificate profile
The default certificate profile for servers/services is caIPAserviceCert. So we'll export it with ipa-cli.
ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg
Add the new policy set commonNameToSANDefaultImpl to the caIPAserviceCert.cfg incrementing the set number.
policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.constraint.class_id=noConstraintImpl
policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.constraint.name=No Constraint
policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.default.name=Copy Common Name to Subject
Add the number to the policy set list.
policyset.serverCertSet.list=1,2,3,4,5,6,...,<NEXT_POLICYSET_NUMBER>
And import the new profile to IPA.
ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.cfg
Reissue IPA server's own certificates
Default installation has two certificates monitered by certmonger, one for LDAP and one for HTTPD. Show the certificates with
ipa-getcert list
Which shows
Number of certificates and requests being tracked: 11.
Request ID '444555666':
status: MONITORING
stuck: no
And resubmit both certificates by ID
ipa-getcert resubmit -i 444555666
Post save hooks should handle restarting ldap and httpd services.
Source used and more information about the CN deprecation https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html.