You are using a wildcard certificate for your LDAP server. After you upgrade to PE 2018.1 or later from any version prior to 2018.1, you are not able to log into the console, and LDAP authentication fails.
Error messages and logs
You get the following error message in /var/log/puppetlabs/console-services/console-services.log
:
Hostname verification failed because the expected hostname 'ldap.abc.com’' was not found in peer certificate 'subject='CN=*.abc.com
In PE 2018.1, hostname and wildcard configuration options were added to the RBAC directory services to validate that the certificate and the hostname for the connecting client match. By default,ssl_hostname_validation
is set to true
and ssl_wildcard_validation
is set to false
.
LDAP SSL authentication fails using these settings if the certificate installed doesn't match LDAP server FQDN (for example when you have a wildcard certificate).
Version and installation information
PE version: 2018.1 and later versions
Installation type: monolithic
Solution
-
On the primary server (called the master in older versions of PE), export your directory services (DS) configuration to a file named
ds.txt
:curl -X GET --cert $(puppet config print hostcert) --key $(puppet config print hostprivkey) --cacert $(puppet config print localcacert) https://$(hostname -f):4433/rbac-api/v1/ds > ds.txt
-
Edit
ds.txt
and updatessl_hostname_validation
* and/orssl_wildcard_validation
totrue
orfalse
as necessary.If the SSL certificate uses a wildcard certificate, set both to true. If the SSL certificate CN is different from the LDAP server FQDN, set both to false.
Note: Setting both to false has security implications. Read more about it in our documentation.
-
Test the changed settings:
curl -i -X PUT -H "Content-Type: application/json" --cert $(puppet config print hostcert) --key $(puppet config print hostprivkey) --cacert $(puppet config print localcacert) https://$(hostname -f):4433/rbac-api/v1/ds/test -d @ds.txt
If the new settings are successful, this will return
HTTP 200
. -
If the test was successful, apply the new settings. Run:
curl -i -X PUT -H "Content-Type: application/json" --cert $(puppet config print hostcert) --key $(puppet config print hostprivkey) --cacert $(puppet config print localcacert) https://$(hostname -f):4433/rbac-api/v1/ds -d @ds.txt
Comments
0 comments
Please sign in to leave a comment.