[Freeipa-users] How to remove bad cert renewal from certmonger?

Rob Crittenden rcritten at redhat.com
Fri Apr 22 22:23:22 UTC 2016 

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:
> Hello all,
>
> I tried to renew the server HTTP certificates for two freeipa servers so
> that certs would have Subject Alternative Name (SAN) fields for all the
> addresses they have (two DNS names and IPs). I won't go to the details
> why this is required, but I started with ipa2 (slave) and immediately
> got problems. Some I managed to solve, but there is now problem to which
> I have not found any solution.
>
> How to remove from certmonger a renewal request that has a bad
> certificate request in it?
>
> What I did was:
>
> # ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain"
> -D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A
> "10.22.199.253" -A "10.10.1.253"
>
> This led to a problem that ipa2.lab-management-domain server was not as
> host in the freeipa. Added the needed info:
>
> # ipa host-add ipa2.lab-management-domain
> # ipa service-add HTTP/ipa2.lab-management-domain --force
> # ipa service-add-host HTTP/lab-management-domain --host
> ipa2.lab-management-domain
>
> Then I ran the above resubmit command again.
>
> This time the there was an error related to the -D "10.22.199.253" and
> -D "10.10.1.253" fields. And because it is not possible to use ipa
> host-add "10.22.199.253" I decided just to drop the -D fields with IP
> addresses, but left the -A options. And ran the resubmit command again.
>
> Now the error in ipa-getcert list command changed to tell that IP
> Address is forbidden:
>
> # ipa-getcert list -i "20160212110456"
> .......
> Request ID '20160212110456':
>          status: MONITORING
>          ca-error: Server at https://ipa2.lab-public-domain/ipa/xml
> denied our request, giving up: 2100 (RPC failed at server.  Insufficient
> access: Subject alt name type IP Address is forbidden).
>          stuck: no
> .......
>
> That is the state where I now have stuck. I have tried the ipa-getcert
> resubmit command without any -D or -A fields but the error stays there.
>
> I took the "csr=" value from the file
> /var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request
> file. Using openssl I can see that it still contains SAN attribute with
> IP addresses and two odd fields that probably are there because of those
> -D "IP" fields I had at the beginning:
>
> # openssl req -in /tmp/request -text -noout
> .........
>              X509v3 Subject Alternative Name:
>                  DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain,
> othername:<unsupported>, othername:<unsupported>, IP
> Address:10.22.199.253, IP Address:10.10.1.253
> .........
>
> Repetitio est mater studiorum:
>
> How I can clean this defective state of certmonger?

# ipa-getcert stop-tracking -i 20160212110456

>
> Second question if/when the above urgent problem is solved:
>
> Is there any way to get IP address to SAN field for the IPA Server-Certs?

Not without changing code. IP address SAN are explicitly forbidden: 
Subject alt name type IP Address is forbidden

rob

More information about the Freeipa-users mailing list