ipa-client-install might fail due to missing SubjectAltName (SAN) in the server certificates with the following error message.
Joining realm failed: Unable to initialize STARTTLS session Connect error: TLS: hostname does not match subjectAltName in peer certificate Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to initialize STARTTLS session Connect error: TLS: hostname does not match subjectAltName in peer certificate
One possible reason for this is RHEL derivates dropping fallback to CN validation in openldap-2.4.46-10 leaving subjectAltName as only field used for hostname validation. You can check the SAN extension on the IPA server with
openssl s_client -showcerts -connect <YOUR-IPA-SERVER-IP/NAME>:636 </dev/null 2>/dev/null|openssl x509 -text -noout
And search for the
X509v3 Subject Alternative Name section. If the section doesn't contain
DNS: field with the hostname keep reading for a solution. :)
Why SAN is absent?
FreeIPA server certificate profiles are left untouched during updates and SAN was added to the default service profile in version 4.6.5. This means a pre 4.6.5 installation will keep churning out certificates without SAN extension. Two steps needed get IPA servers back on the TLS highway.
Update certificate profile
The default certificate profile for servers/services is
caIPAserviceCert. So we'll export it with ipa-cli.
ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg
Add the new policy set
commonNameToSANDefaultImpl to the
caIPAserviceCert.cfg incrementing the set number.
policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.constraint.class_id=noConstraintImpl policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.constraint.name=No Constraint policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.<NEXT_POLICYSET_NUMBER>.default.name=Copy Common Name to Subject
Add the number to the policy set list.
And import the new profile to IPA.
ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.cfg
Reissue IPA server's own certificates
Default installation has two certificates monitered by certmonger, one for LDAP and one for HTTPD. Show the certificates with
Number of certificates and requests being tracked: 11. Request ID '444555666': status: MONITORING stuck: no
And resubmit both certificates by ID
ipa-getcert resubmit -i 444555666
Post save hooks should handle restarting
Source used and more information about the CN deprecation https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html.