[Freeipa-users] Get certificate for virtual host on many hosts
Petr Spacek
pspacek at redhat.com
Tue Jan 7 18:43:01 UTC 2014
On 7.1.2014 19:40, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 7.1.2014 19:21, Rob Crittenden wrote:
>>> Benjamin Soriano wrote:
>>>> Hello all,
>>>>
>>>> Here is the situation. I have a web service (reachable via
>>>> service.example.com) that run on two servers (srv1.example.com and
>>>> srv2.example.com). The load is distributed on servers by a DNS round
>>>> robin.
>>>> And I want the certificate for https://service.example.com be managed by
>>>> IPA (which is my root CA) and take advantage of certificate monitoring.
>>>> The two servers are registered in IPA and can request their own
>>>> certificate.
>>>>
>>>> I manage to request the certificate on one of the servers by doing the
>>>> following :
>>>>
>>>> Create fake host on ds.example.com
>>>> > ipa host-add service.example.com
>>>> > ipa host-add-managedby service.example.com --hosts=srv1.example.com
>>>> > ipa service-add HTTP/service.example.com
>>>> > ipa service-add-hosts HTTP/service.example.com
>>>> --hosts=srv1.example.com
>>>>
>>>> Then request the certificate on srv1 :
>>>> > ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k
>>>> /etc/pki/private/service.example.com.key -N CN=service.example.com -D
>>>> service.example.com -K HTTP/service.example.com
>>>>
>>>> It work pretty well. But if I add the second server that way :
>>>> > ...
>>>> > ipa host-add-managedby service.example.com
>>>> --hosts=srv1.example.com,srv2.example.com
>>>> > ...
>>>> > ipa service-add-hosts HTTP/service.example.com
>>>> --hosts=srv1.example.com,srv2.example.com
>>>>
>>>> I can only resquest the certificate on one of the servers. The first
>>>> request is going well (no matter on which server I do it) and the second
>>>> is stuck in this state :
>>>>
>>>> Request ID '20140107165415':
>>>> status: CA_REJECTED
>>>> ca-error: Server denied our request, giving up: 2100 (RPC
>>>> failed at server. Insufficient access: not allowed to perform this
>>>> command).
>>>> stuck: yes
>>>> key pair storage:
>>>> type=FILE,location='/etc/pki/private/service.example.com.key'
>>>> certificate:
>>>> type=FILE,location='/etc/pki/certs/service.example.com.crt'
>>>> CA: IPA
>>>> ...
>>>>
>>>> Is this a normal behavior?
>>>>
>>>> If yes, what could be the right way to achieve what I want?
>>>>
>>>> Regards,
>>>
>>> The problem is you would have two separate, valid certificates for the
>>> same
>>> service and we only store one at a time. The second request is going
>>> to try to
>>> revoke the original cert in order to issue another one. I'm guessing
>>> it is
>>> failing on the revocation step.
>>>
>>> I think you'll need to pick one server to manage it and manually copy
>>> it to
>>> any other servers. This loses the advantage of certmonger on the other
>>> boxes
>>> unfortunately.
>>
>> I think that 'the right approach' is to issue separate certificates for
>> srv1.example.com and srv2.example.com and add SAN (Subject Alternative
>> Name) cn=service.example.com to both of them.
>>
>> See
>> http://en.wikipedia.org/wiki/SubjectAltName
>>
>> I'm not sure how to get such certificate from FreeIPA. Rob, could you
>> add some details?
>>
>
> Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977
Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is on
review :-)
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list