[Freeipa-users] Getting a certificate for an alias

[Fraser Tweedale]

On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote:
> I'm trying to use certmonger to get an SSL certificate on a web host
> which has an alias.  I added the alias as a principal alias to the
> host record in FreeIPA, and I added the service as well with the
> actual hostname and the alias.  However every time certmonger contacts
> the CA, the request is rejected with "The service principal for
> subject alt name ... does not exist" (or earlier, another similar
> error which has now been lost to the scrollback).
> 
> hostname: coathook.astro.princeton.edu
> Principal alias: host/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU
> Principal alias: host/puppet.astro.princeton.edu at ASTRO.PRINCETON.EDU
> 
> Principal alias: HTTP/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU
> Principal alias: HTTP/puppet.astro.princeton.edu at ASTRO.PRINCETON.EDU
> Service: HTTP
> Host Name: coathook.astro.princeton.edu
> 
> ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f
> /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N
> CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K
> HTTP/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU -C
> '/usr/sbin/apachectl graceful'
> 
> When I check with ipa-getcert list, I find:
>         ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml
> failed request, will retry: 4001 (RPC failed at server.  The service
> principal for subject alt name puppet.astro.princeton.edu in
> certificate request does not exist).
> 
> Other attempts used the CN of puppet, and the Kerberos principal of
> puppet as well, and they also failed but with the slightly different
> error (I believe it was that the host does not exist).
> 
> So how does one create a certificate for an alias on a host?
> 
Hi Steve,

The fix for this was released in FreeIPA 4.5.  See ticket
https://pagure.io/freeipa/issue/6295.

Thanks,
Fraser