[Freeipa-users] Get certificate for virtual host on many hosts
Rob Crittenden
rcritten at redhat.com
Tue Jan 7 18:21:07 UTC 2014
Benjamin Soriano wrote:
> Hello all,
>
> Here is the situation. I have a web service (reachable via
> service.example.com) that run on two servers (srv1.example.com and
> srv2.example.com). The load is distributed on servers by a DNS round robin.
> And I want the certificate for https://service.example.com be managed by
> IPA (which is my root CA) and take advantage of certificate monitoring.
> The two servers are registered in IPA and can request their own
> certificate.
>
> I manage to request the certificate on one of the servers by doing the
> following :
>
> Create fake host on ds.example.com
> > ipa host-add service.example.com
> > ipa host-add-managedby service.example.com --hosts=srv1.example.com
> > ipa service-add HTTP/service.example.com
> > ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com
>
> Then request the certificate on srv1 :
> > ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k
> /etc/pki/private/service.example.com.key -N CN=service.example.com -D
> service.example.com -K HTTP/service.example.com
>
> It work pretty well. But if I add the second server that way :
> > ...
> > ipa host-add-managedby service.example.com
> --hosts=srv1.example.com,srv2.example.com
> > ...
> > ipa service-add-hosts HTTP/service.example.com
> --hosts=srv1.example.com,srv2.example.com
>
> I can only resquest the certificate on one of the servers. The first
> request is going well (no matter on which server I do it) and the second
> is stuck in this state :
>
> Request ID '20140107165415':
> status: CA_REJECTED
> ca-error: Server denied our request, giving up: 2100 (RPC
> failed at server. Insufficient access: not allowed to perform this
> command).
> stuck: yes
> key pair storage:
> type=FILE,location='/etc/pki/private/service.example.com.key'
> certificate:
> type=FILE,location='/etc/pki/certs/service.example.com.crt'
> CA: IPA
> ...
>
> Is this a normal behavior?
>
> If yes, what could be the right way to achieve what I want?
>
> Regards,
The problem is you would have two separate, valid certificates for the
same service and we only store one at a time. The second request is
going to try to revoke the original cert in order to issue another one.
I'm guessing it is failing on the revocation step.
I think you'll need to pick one server to manage it and manually copy it
to any other servers. This loses the advantage of certmonger on the
other boxes unfortunately.
rob
More information about the Freeipa-users
mailing list