On 30 Jul 2019, at 04:07, Fong, Trevor <trevor.fong(a)ubc.ca>
wrote:
Hi William,
Thanks very much for the clues.
I finally got it to work by:
1. Importing the wildcard cert's CA cert chain (I did each issuer as separate
entries, but it might work concatenated into 1 file?)
certutil -A -d . -n "CA ExternalCARoot" -t "CT,," -i
ExternalCARoot.crt
certutil -A -d . -n "CA Intermediate_CA" -t "CT,," -i
IntermediateCA.crt
certutil -A -d . -n "CA StandardSSLCA" -t "CT,," -i
StandardSSLCA.crt
2. Convert wildcard cert's key to PKCS #12
openssl pkcs12 -export -out star.example.com_key.pfx -inkey star.example.com.key -in
star.example.com.crt -certfile StandardSSLCA2.crt
3. Import the wildcard cert's key
pk12util -i star.example.com_key.pfx -d /etc/dirsrv/slapd-<instance>/ -W
"password"
4. Find the name of the wildcard cert
certutil -L -d . -f pwdfile.txt
5. Point 389 DS at the wildcard cert
dn: cn=RSA,cn=encryption,cn=config
changetype: modify
replace: nsSSLPersonalitySSL
nsSSLPersonalitySSL: *.example.com - CA
6. Restart 389 DS
systemctl restart dirsrv.target
In future versions, you'll need to restart the dirsrv(a)instance.service directly as
dirsrv.target will be removed.
Otherwise, great to hear you got it working, and was happy to help you!
Thanks,
Trev
On 2019-07-26, 5:49 PM, "William Brown" <wbrown(a)suse.de> wrote:
> On 27 Jul 2019, at 07:50, Fong, Trevor <trevor.fong(a)ubc.ca> wrote:
>
> Hi Everyone,
>
> I've configured 2 new 389 DS hubs (eg
new1.example.com,
new2.example.com) and
have connected them to our main 389 DS cluster.
> They each have their own self-signed certificate, and replication is working well.
>
> I now want to load-balance these 2 nodes under their own VIP/hostname:
downtown.example.com.
> I have added our wildcard cert for *.example.com to each node's NSS cert DB in
/etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.
You have to remove the existing "server-cert" alias in NSS DB, and add your
wildcard cert/key with the name "server-cert". You'll need to make a P12
bundle with the right alias and then import it.
https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_refer...
Check the "importing certificates to NSS" section, and the "basic
listing" section.
Hope that helps,
>
> However, querying the VIP's SSL, I see that the new node's self-signed cert
is still presented instead of the wildcard:
>
> $ echo | openssl s_client -connect downtown.example.com:636
> CONNECTED(00000003)
> depth=1 CN =
self-ca.example.com
> verify error:num=19:self signed certificate in certificate chain
> ---
> <server cert details redacted>
>
> I thought that perhaps the node's own
new1.example.com self-signed cert was
taking precedence over the wildcard cert.
> But removing it resulted in:
>
> $ echo | openssl s_client -connect downtown.example.com:636
> socket: Bad file descriptor
> connect:errno=9
>
>
> Would anyone be able to tell me how to achieve this correctly, or point me in the
right/another direction?
>
> Thanks a lot,
> Trev
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs