[Freeipa-users] Get certificate for virtual host on many hosts

Petr Spacek pspacek at redhat.com
Tue Jan 7 18:33:05 UTC 2014 

On 7.1.2014 19:21, Rob Crittenden wrote:
> Benjamin Soriano wrote:
>> Hello all,
>>
>> Here is the situation. I have a web service (reachable via
>> service.example.com) that run on two servers (srv1.example.com and
>> srv2.example.com). The load is distributed on servers by a DNS round robin.
>> And I want the certificate for https://service.example.com be managed by
>> IPA (which is my root CA) and take advantage of certificate monitoring.
>> The two servers are registered in IPA and can request their own
>> certificate.
>>
>> I manage to request the certificate on one of the servers by doing the
>> following :
>>
>> Create fake host on ds.example.com
>>  > ipa host-add service.example.com
>>  > ipa host-add-managedby service.example.com --hosts=srv1.example.com
>>  > ipa service-add HTTP/service.example.com
>>  > ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com
>>
>> Then request the certificate on srv1 :
>>  > ipa-getcert request  -r -f /etc/pki/certs/service.example.com.crt -k
>> /etc/pki/private/service.example.com.key -N CN=service.example.com -D
>> service.example.com -K HTTP/service.example.com
>>
>> It work pretty well. But if I add the second server that way :
>>  > ...
>>  > ipa host-add-managedby service.example.com
>> --hosts=srv1.example.com,srv2.example.com
>>  > ...
>>  > ipa service-add-hosts HTTP/service.example.com
>> --hosts=srv1.example.com,srv2.example.com
>>
>> I can only resquest the certificate on one of the servers. The first
>> request is going well (no matter on which server I do it) and the second
>> is stuck in this state :
>>
>> Request ID '20140107165415':
>>          status: CA_REJECTED
>>          ca-error: Server denied our request, giving up: 2100 (RPC
>> failed at server.  Insufficient access: not allowed to perform this
>> command).
>>          stuck: yes
>>          key pair storage:
>> type=FILE,location='/etc/pki/private/service.example.com.key'
>>          certificate:
>> type=FILE,location='/etc/pki/certs/service.example.com.crt'
>>          CA: IPA
>>          ...
>>
>> Is this a normal behavior?
>>
>> If yes, what could be the right way to achieve what I want?
>>
>> Regards,
>
> The problem is you would have two separate, valid certificates for the same
> service and we only store one at a time. The second request is going to try to
> revoke the original cert in order to issue another one. I'm guessing it is
> failing on the revocation step.
>
> I think you'll need to pick one server to manage it and manually copy it to
> any other servers. This loses the advantage of certmonger on the other boxes
> unfortunately.

I think that 'the right approach' is to issue separate certificates for 
srv1.example.com and srv2.example.com and add SAN (Subject Alternative Name) 
cn=service.example.com to both of them.

See
http://en.wikipedia.org/wiki/SubjectAltName

I'm not sure how to get such certificate from FreeIPA. Rob, could you add some 
details?

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list