Re: Setting Up 389 DS for Load Balancing with SSL Wildcard Certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On 30 Jul 2019, at 04:07, Fong, Trevor <trevor.fong@xxxxxx> wrote:
> 
> Hi William,
> 
> Thanks very much for the clues.
> I finally got it to work by:
> 1. Importing the wildcard cert's CA cert chain (I did each issuer as separate entries, but it might work concatenated into 1 file?)
>  certutil -A -d . -n "CA ExternalCARoot" -t "CT,," -i ExternalCARoot.crt
>  certutil -A -d . -n "CA Intermediate_CA" -t "CT,," -i IntermediateCA.crt
>  certutil -A -d . -n "CA StandardSSLCA" -t "CT,," -i StandardSSLCA.crt
> 2. Convert wildcard cert's key to PKCS #12
>  openssl pkcs12 -export -out star.example.com_key.pfx -inkey star.example.com.key -in star.example.com.crt -certfile StandardSSLCA2.crt
> 3. Import the wildcard cert's key
>  pk12util -i star.example.com_key.pfx -d /etc/dirsrv/slapd-<instance>/ -W "password"
> 4. Find the name of the wildcard cert
>  certutil -L -d . -f pwdfile.txt
> 5. Point 389 DS at the wildcard cert
>  dn: cn=RSA,cn=encryption,cn=config
>  changetype: modify
>  replace: nsSSLPersonalitySSL
>  nsSSLPersonalitySSL: *.example.com - CA
> 6. Restart 389 DS
>  systemctl restart dirsrv.target

In future versions, you'll need to restart the dirsrv@instance.service directly as dirsrv.target will be removed.

Otherwise, great to hear you got it working, and was happy to help you! 


> 
> Thanks,
> Trev
> 
> 
> 
> On 2019-07-26, 5:49 PM, "William Brown" <wbrown@xxxxxxx> wrote:
> 
> 
> 
>> On 27 Jul 2019, at 07:50, Fong, Trevor <trevor.fong@xxxxxx> wrote:
>> 
>> Hi Everyone,
>> 
>> I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and have connected them to our main 389 DS cluster.
>> They each have their own self-signed certificate, and replication is working well.
>> 
>> I now want to load-balance these 2 nodes under their own VIP/hostname: downtown.example.com.
>> I have added our wildcard cert for *.example.com to each node's NSS cert DB in /etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.
> 
>    You have to remove the existing "server-cert" alias in NSS DB, and add your wildcard cert/key with the name "server-cert". You'll need to make a P12 bundle with the right alias and then import it.
> 
>    https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_reference.html
> 
>    Check the "importing certificates to NSS" section, and the "basic listing" section. 
> 
>    Hope that helps, 
> 
>> 
>> However, querying the VIP's SSL, I see that the new node's self-signed cert is still presented instead of the wildcard:
>> 
>> $ echo | openssl s_client -connect downtown.example.com:636
>> CONNECTED(00000003)
>> depth=1 CN = self-ca.example.com
>> verify error:num=19:self signed certificate in certificate chain
>> ---
>> <server cert details redacted>
>> 
>> I thought that perhaps the node's own new1.example.com self-signed cert was taking precedence over the wildcard cert.
>> But removing it resulted in:
>> 
>> $ echo | openssl s_client -connect downtown.example.com:636
>> socket: Bad file descriptor
>> connect:errno=9
>> 
>> 
>> Would anyone be able to tell me how to achieve this correctly, or point me in the right/another direction?
>> 
>> Thanks a lot,
>> Trev
>> 
>> _______________________________________________
>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> 
>
>    Sincerely,
> 
>    William Brown
> 
>    Senior Software Engineer, 389 Directory Server
>    SUSE Labs
>    _______________________________________________
>    389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>    To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>    List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux