Header Shadow Image


[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’

When joining a new client to the FreeIPA servers:

# ipa-client-install –uninstall; ipa-client-install –force-join -p USER -w “SECRET” –fixed-primarver=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U

the following  message is visible:

Connection to https://idmipa01.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’. (_ssl.c:1007)
Connection to https://idmipa02.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa02.nix.mds.xyz’. (_ssl.c:1007)

On the surface this message doesn’t make much sense.  The certificate definitely matches the hostname:

openssl s_client -connect idmipa01.nix.mds.xyz:443

save certificate to a file by copying it out from the output of above command, then issue:


# openssl x509 -in freeipa.pem -text -noout </dev/null
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 43 (0x2b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = NIX.MDS.XYZ, CN = Certificate Authority
        Validity
            Not Before: Sep 26 05:16:38 2022 GMT
            Not After : Sep 26 05:16:38 2024 GMT
        Subject: O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz

However, on closer inspection, there is no SAN entry:


            X509v3 Subject Alternative Name:
                othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

Do add a SAN entry, issue the following on each IPA server, including the replicas you may have to add in a SAN certificate entry:

idmipa01: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa01: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)

idmipa02: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa02: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)

Verify again with openssl commands, from the client that the returned FreeIPA certificates now have a SAN entry:


idmipa01:
            X509v3 Subject Alternative Name:
                DNS:idmipa01.nix.mds.xyz, othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

idmipa02:
            X509v3 Subject Alternative Name:
                DNS:idmipa02.nix.mds.xyz, othername: UPN::HTTP/idmipa02.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::

Hope this helps!

Cheers,

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License