[Freeipa-users] Get certificate for virtual host on many hosts

Rob Crittenden rcritten at redhat.com
Tue Jan 7 18:40:03 UTC 2014 

Petr Spacek wrote:
> On 7.1.2014 19:21, Rob Crittenden wrote:
>> Benjamin Soriano wrote:
>>> Hello all,
>>>
>>> Here is the situation. I have a web service (reachable via
>>> service.example.com) that run on two servers (srv1.example.com and
>>> srv2.example.com). The load is distributed on servers by a DNS round
>>> robin.
>>> And I want the certificate for https://service.example.com be managed by
>>> IPA (which is my root CA) and take advantage of certificate monitoring.
>>> The two servers are registered in IPA and can request their own
>>> certificate.
>>>
>>> I manage to request the certificate on one of the servers by doing the
>>> following :
>>>
>>> Create fake host on ds.example.com
>>>  > ipa host-add service.example.com
>>>  > ipa host-add-managedby service.example.com --hosts=srv1.example.com
>>>  > ipa service-add HTTP/service.example.com
>>>  > ipa service-add-hosts HTTP/service.example.com
>>> --hosts=srv1.example.com
>>>
>>> Then request the certificate on srv1 :
>>>  > ipa-getcert request  -r -f /etc/pki/certs/service.example.com.crt -k
>>> /etc/pki/private/service.example.com.key -N CN=service.example.com -D
>>> service.example.com -K HTTP/service.example.com
>>>
>>> It work pretty well. But if I add the second server that way :
>>>  > ...
>>>  > ipa host-add-managedby service.example.com
>>> --hosts=srv1.example.com,srv2.example.com
>>>  > ...
>>>  > ipa service-add-hosts HTTP/service.example.com
>>> --hosts=srv1.example.com,srv2.example.com
>>>
>>> I can only resquest the certificate on one of the servers. The first
>>> request is going well (no matter on which server I do it) and the second
>>> is stuck in this state :
>>>
>>> Request ID '20140107165415':
>>>          status: CA_REJECTED
>>>          ca-error: Server denied our request, giving up: 2100 (RPC
>>> failed at server.  Insufficient access: not allowed to perform this
>>> command).
>>>          stuck: yes
>>>          key pair storage:
>>> type=FILE,location='/etc/pki/private/service.example.com.key'
>>>          certificate:
>>> type=FILE,location='/etc/pki/certs/service.example.com.crt'
>>>          CA: IPA
>>>          ...
>>>
>>> Is this a normal behavior?
>>>
>>> If yes, what could be the right way to achieve what I want?
>>>
>>> Regards,
>>
>> The problem is you would have two separate, valid certificates for the
>> same
>> service and we only store one at a time. The second request is going
>> to try to
>> revoke the original cert in order to issue another one. I'm guessing
>> it is
>> failing on the revocation step.
>>
>> I think you'll need to pick one server to manage it and manually copy
>> it to
>> any other servers. This loses the advantage of certmonger on the other
>> boxes
>> unfortunately.
>
> I think that 'the right approach' is to issue separate certificates for
> srv1.example.com and srv2.example.com and add SAN (Subject Alternative
> Name) cn=service.example.com to both of them.
>
> See
> http://en.wikipedia.org/wiki/SubjectAltName
>
> I'm not sure how to get such certificate from FreeIPA. Rob, could you
> add some details?
>

Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977

rob

More information about the Freeipa-users mailing list