[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’
When joining a new client to the FreeIPA servers:
# ipa-client-install –uninstall; ipa-client-install –force-join -p USER -w “SECRET” –fixed-primarver=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U
the following message is visible:
Connection to https://idmipa01.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’. (_ssl.c:1007)
Connection to https://idmipa02.nix.mds.xyz/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa02.nix.mds.xyz’. (_ssl.c:1007)
On the surface this message doesn’t make much sense. The certificate definitely matches the hostname:
openssl s_client -connect idmipa01.nix.mds.xyz:443
save certificate to a file by copying it out from the output of above command, then issue:
# openssl x509 -in freeipa.pem -text -noout </dev/null
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 43 (0x2b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = NIX.MDS.XYZ, CN = Certificate Authority
Validity
Not Before: Sep 26 05:16:38 2022 GMT
Not After : Sep 26 05:16:38 2024 GMT
Subject: O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz
However, on closer inspection, there is no SAN entry:
X509v3 Subject Alternative Name:
othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::
Do add a SAN entry, issue the following on each IPA server, including the replicas you may have to add in a SAN certificate entry:
idmipa01: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa01: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)
idmipa02: getcert list -d “/etc/httpd/alias” -n “Server-Cert”
idmipa02: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)
Verify again with openssl commands, from the client that the returned FreeIPA certificates now have a SAN entry:
idmipa01:
X509v3 Subject Alternative Name:
DNS:idmipa01.nix.mds.xyz, othername: UPN::HTTP/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::
idmipa02:
X509v3 Subject Alternative Name:
DNS:idmipa02.nix.mds.xyz, othername: UPN::HTTP/idmipa02.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::
Hope this helps!
Cheers,