[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [Freeipa-users] Getting a certificate for an alias
- From: Fraser Tweedale <ftweedal redhat com>
- To: Steve Huston <huston astro princeton edu>
- Cc: freeipa-users redhat com
- Subject: Re: [Freeipa-users] Getting a certificate for an alias
- Date: Fri, 5 May 2017 11:15:00 +1000
On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote:
> I'm trying to use certmonger to get an SSL certificate on a web host
> which has an alias. I added the alias as a principal alias to the
> host record in FreeIPA, and I added the service as well with the
> actual hostname and the alias. However every time certmonger contacts
> the CA, the request is rejected with "The service principal for
> subject alt name ... does not exist" (or earlier, another similar
> error which has now been lost to the scrollback).
>
> hostname: coathook.astro.princeton.edu
> Principal alias: host/coathook astro princeton edu ASTRO PRINCETON EDU
> Principal alias: host/puppet astro princeton edu ASTRO PRINCETON EDU
>
> Principal alias: HTTP/coathook astro princeton edu ASTRO PRINCETON EDU
> Principal alias: HTTP/puppet astro princeton edu ASTRO PRINCETON EDU
> Service: HTTP
> Host Name: coathook.astro.princeton.edu
>
> ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f
> /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N
> CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K
> HTTP/coathook astro princeton edu ASTRO PRINCETON EDU -C
> '/usr/sbin/apachectl graceful'
>
> When I check with ipa-getcert list, I find:
> ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml
> failed request, will retry: 4001 (RPC failed at server. The service
> principal for subject alt name puppet.astro.princeton.edu in
> certificate request does not exist).
>
> Other attempts used the CN of puppet, and the Kerberos principal of
> puppet as well, and they also failed but with the slightly different
> error (I believe it was that the host does not exist).
>
> So how does one create a certificate for an alias on a host?
>
Hi Steve,
The fix for this was released in FreeIPA 4.5. See ticket
https://pagure.io/freeipa/issue/6295.
Thanks,
Fraser
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]