{"id":6355,"date":"2023-11-19T22:34:05","date_gmt":"2023-11-20T03:34:05","guid":{"rendered":"https:\/\/microdevsys.com\/wp\/?p=6355"},"modified":"2023-11-26T10:09:09","modified_gmt":"2023-11-26T15:09:09","slug":"ssl-certificate_verify_failed-certificate-verify-failename-mismatch-certificate-is-not-valid-for-idmipa01-nix-mds-xyz","status":"publish","type":"post","link":"https:\/\/microdevsys.com\/wp\/ssl-certificate_verify_failed-certificate-verify-failename-mismatch-certificate-is-not-valid-for-idmipa01-nix-mds-xyz\/","title":{"rendered":"[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’"},"content":{"rendered":"

When joining a new client to the FreeIPA servers:<\/p>\n

# ipa-client-install –uninstall; ipa-client-install –force-join -p USER -w “SECRET” –fixed-primarver=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U<\/span><\/p>\n

the following\u00a0 message is visible:<\/p>\n

Connection to https:\/\/idmipa01.nix.mds.xyz\/ipa\/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’. (_ssl.c:1007)<\/span>
\nConnection to https:\/\/idmipa02.nix.mds.xyz\/ipa\/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa02.nix.mds.xyz’. (_ssl.c:1007)<\/span><\/p>\n

On the surface this message doesn’t make much sense.\u00a0 The certificate definitely matches the hostname:<\/p>\n

openssl s_client -connect idmipa01.nix.mds.xyz:443<\/span><\/p>\n

save certificate to a file by copying it out from the output of above command, then issue:<\/p>\n

\r\n# openssl x509 -in freeipa.pem -text -noout <\/dev\/null\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number: 43 (0x2b)\r\n        Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: O = NIX.MDS.XYZ, CN = Certificate Authority\r\n        Validity\r\n            Not Before: Sep 26 05:16:38 2022 GMT\r\n            Not After : Sep 26 05:16:38 2024 GMT\r\n        Subject: O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz\r\n<\/strong><\/code><\/pre>\n
However, on closer inspection, there is no SAN entry:<\/p>\n
\r\n            X509v3 Subject Alternative Name:\r\n                othername: UPN::HTTP\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::\r\n<\/code><\/pre>\n
Do add a SAN entry, issue the following on each IPA server, including the replicas you may have to add in a SAN certificate entry:<\/p>\n
idmipa01: getcert list -d “\/etc\/httpd\/alias” -n “Server-Cert”<\/span>
\nidmipa01: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)<\/span><\/p>\n
idmipa02: getcert list -d “\/etc\/httpd\/alias” -n “Server-Cert”<\/span>
\nidmipa02: getcert resubmit -i FROM_ABOVE_COMMAND -D $(hostname)<\/span><\/p>\n
Verify again with openssl commands, from the client that the returned FreeIPA certificates now have a SAN entry:<\/p>\n
\r\nidmipa01:\r\n            X509v3 Subject Alternative Name:\r\n                DNS:idmipa01.nix.mds.xyz, othername: UPN::HTTP\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::\r\n\r\nidmipa02:\r\n            X509v3 Subject Alternative Name:\r\n                DNS:idmipa02.nix.mds.xyz, othername: UPN::HTTP\/idmipa02.nix.mds.xyz@NIX.MDS.XYZ, othername: 1.3.6.1.5.2.2::\r\n<\/code><\/pre>\n
Hope this helps!<\/p>\n
Cheers,<\/p>\n\n    
\n\n\t\t\n        
    \n\t\t\t        <\/ul>\n    <\/div> \n","protected":false},"excerpt":{"rendered":"
    When joining a new client to the FreeIPA servers: # ipa-client-install –uninstall; ipa-client-install –force-join -p USER -w “SECRET” –fixed-primarver=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U the following\u00a0 message is visible: Connection to https:\/\/idmipa01.nix.mds.xyz\/ipa\/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failename mismatch, certificate is not valid for ‘idmipa01.nix.mds.xyz’. (_ssl.c:1007) Connection to https:\/\/idmipa02.nix.mds.xyz\/ipa\/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6355","post","type-post","status-publish","format-standard","hentry","category-unix-linux-admin-stuff"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/6355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/comments?post=6355"}],"version-history":[{"count":1,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/6355\/revisions"}],"predecessor-version":[{"id":6356,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/6355\/revisions\/6356"}],"wp:attachment":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/media?parent=6355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/categories?post=6355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/tags?post=6355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}