On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by
an external root CA. Problem:
Even though I have imported the root CA and clicked on all the trust
checkboxes, chromium complains about the certificate of the web admin
interface running on
https://ipa1.example.com/ :
- Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative
Name extension containing a domain name or IP address.
- Certificate error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).
The CN is "ipa1.example.com", matching the host name. The Subject
Alternative Name is
Not Critical
Microsoft Principal Name: HTTP/ipa1.example.com(a)EXAMPLE.COM
OID.1.3.6.1.5.2.2: 30 30 A0 0B 1B 09 41 49 58 49 47 4F 2E 44 45 A1
21 30 1F A0 03 02 01 01 A1 18 30 16 1B 04 48 54
54 50 1B 0E 69 70 61 31 2E 61 69 78 69 67 6F 2E
64 65
I haven't seen this mentioned here, but Google provides some more
information:
https://support.google.com/chrome/a/answer/7391219?hl=en
How can I tell freeipa?
Hi Harald,
Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
HTTP certificate with the appropriate DNS-NAME Subject Alt Name
value(s). Use `getcert list` to find the REQUEST-ID to use; it will
be the certificate in NSSDB `/etc/httpd/alias` with nickname
`Server-Cert`.
Cheers,
Fraser