[Freeipa-users] Get certificate for virtual host on many hosts

Simo Sorce simo at redhat.com
Wed Jan 8 14:25:53 UTC 2014 

On Wed, 2014-01-08 at 09:51 +0100, Benjamin Soriano wrote:
> Le 07/01/2014 19:43, Petr Spacek a écrit :
> > On 7.1.2014 19:40, Rob Crittenden wrote:
> >> Petr Spacek wrote:
> >>> On 7.1.2014 19:21, Rob Crittenden wrote:
> >>>> Benjamin Soriano wrote:
> >>>>> Hello all,
> >>>>>
> >>>>> Here is the situation. I have a web service (reachable via
> >>>>> service.example.com) that run on two servers (srv1.example.com and
> >>>>> srv2.example.com). The load is distributed on servers by a DNS round
> >>>>> robin.
> >>>>> And I want the certificate for https://service.example.com be 
> >>>>> managed by
> >>>>> IPA (which is my root CA) and take advantage of certificate 
> >>>>> monitoring.
> >>>>> The two servers are registered in IPA and can request their own
> >>>>> certificate.
> >>>>>
> >>>>> I manage to request the certificate on one of the servers by doing 
> >>>>> the
> >>>>> following :
> >>>>>
> >>>>> Create fake host on ds.example.com
> >>>>>  > ipa host-add service.example.com
> >>>>>  > ipa host-add-managedby service.example.com 
> >>>>> --hosts=srv1.example.com
> >>>>>  > ipa service-add HTTP/service.example.com
> >>>>>  > ipa service-add-hosts HTTP/service.example.com
> >>>>> --hosts=srv1.example.com
> >>>>>
> >>>>> Then request the certificate on srv1 :
> >>>>>  > ipa-getcert request  -r -f 
> >>>>> /etc/pki/certs/service.example.com.crt -k
> >>>>> /etc/pki/private/service.example.com.key -N CN=service.example.com -D
> >>>>> service.example.com -K HTTP/service.example.com
> >>>>>
> >>>>> It work pretty well. But if I add the second server that way :
> >>>>>  > ...
> >>>>>  > ipa host-add-managedby service.example.com
> >>>>> --hosts=srv1.example.com,srv2.example.com
> >>>>>  > ...
> >>>>>  > ipa service-add-hosts HTTP/service.example.com
> >>>>> --hosts=srv1.example.com,srv2.example.com
> >>>>>
> >>>>> I can only resquest the certificate on one of the servers. The first
> >>>>> request is going well (no matter on which server I do it) and the 
> >>>>> second
> >>>>> is stuck in this state :
> >>>>>
> >>>>> Request ID '20140107165415':
> >>>>>          status: CA_REJECTED
> >>>>>          ca-error: Server denied our request, giving up: 2100 (RPC
> >>>>> failed at server.  Insufficient access: not allowed to perform this
> >>>>> command).
> >>>>>          stuck: yes
> >>>>>          key pair storage:
> >>>>> type=FILE,location='/etc/pki/private/service.example.com.key'
> >>>>>          certificate:
> >>>>> type=FILE,location='/etc/pki/certs/service.example.com.crt'
> >>>>>          CA: IPA
> >>>>>          ...
> >>>>>
> >>>>> Is this a normal behavior?
> >>>>>
> >>>>> If yes, what could be the right way to achieve what I want?
> >>>>>
> >>>>> Regards,
> >>>>
> >>>> The problem is you would have two separate, valid certificates for the
> >>>> same
> >>>> service and we only store one at a time. The second request is going
> >>>> to try to
> >>>> revoke the original cert in order to issue another one. I'm guessing
> >>>> it is
> >>>> failing on the revocation step.
> >>>>
> >>>> I think you'll need to pick one server to manage it and manually copy
> >>>> it to
> >>>> any other servers. This loses the advantage of certmonger on the other
> >>>> boxes
> >>>> unfortunately.
> >>>
> >>> I think that 'the right approach' is to issue separate certificates for
> >>> srv1.example.com and srv2.example.com and add SAN (Subject Alternative
> >>> Name) cn=service.example.com to both of them.
> >>>
> >>> See
> >>> http://en.wikipedia.org/wiki/SubjectAltName
> >>>
> >>> I'm not sure how to get such certificate from FreeIPA. Rob, could you
> >>> add some details?
> >>>
> >>
> >> Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977
> >
> > Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is 
> > on review :-)
> >
> Indeed, lucky me. Thanks a lot guys!

Benjamin, in the meanwhile, if you can use SNI on your servers, you
could simply get an additional certificate for service.example.com for
IPA, and copy it on both machines, then configure 2 sites that expose
the same data. (easy if you use something like apache or nginx).

Once the feature becomes available you can replace all the certs with 2
new certs with common alt name.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list