[Freeipa-users] Get certificate for virtual host on many hosts
Benjamin Soriano
benjamin.soriano at lyra-network.com
Wed Jan 8 08:51:07 UTC 2014
Le 07/01/2014 19:43, Petr Spacek a écrit :
> On 7.1.2014 19:40, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> On 7.1.2014 19:21, Rob Crittenden wrote:
>>>> Benjamin Soriano wrote:
>>>>> Hello all,
>>>>>
>>>>> Here is the situation. I have a web service (reachable via
>>>>> service.example.com) that run on two servers (srv1.example.com and
>>>>> srv2.example.com). The load is distributed on servers by a DNS round
>>>>> robin.
>>>>> And I want the certificate for https://service.example.com be
>>>>> managed by
>>>>> IPA (which is my root CA) and take advantage of certificate
>>>>> monitoring.
>>>>> The two servers are registered in IPA and can request their own
>>>>> certificate.
>>>>>
>>>>> I manage to request the certificate on one of the servers by doing
>>>>> the
>>>>> following :
>>>>>
>>>>> Create fake host on ds.example.com
>>>>> > ipa host-add service.example.com
>>>>> > ipa host-add-managedby service.example.com
>>>>> --hosts=srv1.example.com
>>>>> > ipa service-add HTTP/service.example.com
>>>>> > ipa service-add-hosts HTTP/service.example.com
>>>>> --hosts=srv1.example.com
>>>>>
>>>>> Then request the certificate on srv1 :
>>>>> > ipa-getcert request -r -f
>>>>> /etc/pki/certs/service.example.com.crt -k
>>>>> /etc/pki/private/service.example.com.key -N CN=service.example.com -D
>>>>> service.example.com -K HTTP/service.example.com
>>>>>
>>>>> It work pretty well. But if I add the second server that way :
>>>>> > ...
>>>>> > ipa host-add-managedby service.example.com
>>>>> --hosts=srv1.example.com,srv2.example.com
>>>>> > ...
>>>>> > ipa service-add-hosts HTTP/service.example.com
>>>>> --hosts=srv1.example.com,srv2.example.com
>>>>>
>>>>> I can only resquest the certificate on one of the servers. The first
>>>>> request is going well (no matter on which server I do it) and the
>>>>> second
>>>>> is stuck in this state :
>>>>>
>>>>> Request ID '20140107165415':
>>>>> status: CA_REJECTED
>>>>> ca-error: Server denied our request, giving up: 2100 (RPC
>>>>> failed at server. Insufficient access: not allowed to perform this
>>>>> command).
>>>>> stuck: yes
>>>>> key pair storage:
>>>>> type=FILE,location='/etc/pki/private/service.example.com.key'
>>>>> certificate:
>>>>> type=FILE,location='/etc/pki/certs/service.example.com.crt'
>>>>> CA: IPA
>>>>> ...
>>>>>
>>>>> Is this a normal behavior?
>>>>>
>>>>> If yes, what could be the right way to achieve what I want?
>>>>>
>>>>> Regards,
>>>>
>>>> The problem is you would have two separate, valid certificates for the
>>>> same
>>>> service and we only store one at a time. The second request is going
>>>> to try to
>>>> revoke the original cert in order to issue another one. I'm guessing
>>>> it is
>>>> failing on the revocation step.
>>>>
>>>> I think you'll need to pick one server to manage it and manually copy
>>>> it to
>>>> any other servers. This loses the advantage of certmonger on the other
>>>> boxes
>>>> unfortunately.
>>>
>>> I think that 'the right approach' is to issue separate certificates for
>>> srv1.example.com and srv2.example.com and add SAN (Subject Alternative
>>> Name) cn=service.example.com to both of them.
>>>
>>> See
>>> http://en.wikipedia.org/wiki/SubjectAltName
>>>
>>> I'm not sure how to get such certificate from FreeIPA. Rob, could you
>>> add some details?
>>>
>>
>> Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977
>
> Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is
> on review :-)
>
Indeed, lucky me. Thanks a lot guys!
--
Benjamin soriano
More information about the Freeipa-users
mailing list