[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’

Header Shadow Image

When joining a new client to the FreeIPA servers:

# ipa-client-install –uninstall; ipa-client-install –force-join -p USER -w “SECRET” –fixed-primarver=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U

the following message is visible:

Connection to https://idmipa01.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’. (_ssl.c:1007)
Connection to https://idmipa02.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa02.nix.mds.xyz’. (_ssl.c:1007)

On the surface this message doesn’t make much sense. The certificate definitely matches the hostname:

openssl s_client -connect idmipa01.nix.mds.xyz:443

save certificate to a file by copying it out from the output of above command, then issue:


# openssl x509 -in freeipa.pem -text -noout </dev/null
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 43 (0x2b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = NIX.MDS.XYZ, CN = Certificate Authority
        Validity
            Not Before: Sep 26 05:16:38 2022 GMT
            Not After : Sep 26 05:16:38 2024 GMT
        Subject: O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz

However, on closer inspection, there is no SAN entry:


            X509v3 Subject Alternative Name:
                othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

Do add a SAN entry, issue the following on each IPA server, including the replicas you may have to add in a SAN certificate entry:

idmipa01: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa01: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)

idmipa02: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa02: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)

Verify again with openssl commands, from the client that the returned FreeIPA certificates now have a SAN entry:


idmipa01:
            X509v3 Subject Alternative Name:
                DNS:idmipa01.nix.mds.xyz, othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

idmipa02:
            X509v3 Subject Alternative Name:
                DNS:idmipa02.nix.mds.xyz, othername: UPN::HTTP/idmipa02.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

Hope this helps!

Cheers,

This entry was posted on Sunday, November 19th, 2023 at 10:34 pm and is filed under NIX Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

April 2024

M T W T F S S

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30

« Mar
Categories
- Assorted Nuts (8)
- Cloud (1)
- Hardware (3)
- JADDB (1)
- Network (8)
- NIX Posts (420)
- Perl (5)
- Web (9)
- Windows (12)
Blogroll
- Micro Dev Sys (Facebook)
Databases
Java
- Java Gaming Forums
- java.sun.com
Languages
Linux
Miscellaneous
- Quotations
Perl
- PERL Knowledge Base
- Perl Monks Forum
Scripting
- AWK Cheat Sheet
- Effective AWK Programming
Web
- Web Hosting Chat
- Web Hosting Directory

April 2024
M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30


	Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved. This work is licensed under a Creative Commons Attribution 3.0 Unported License Privacy / Use / Terms / Disclaimer Policy.

Thoughts and Scribbles | MicroDevSys.com