Amit via FreeIPA-devel wrote:
> Hello,
> 
> _This command is executed at IPA Client_:
> # date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K 
> TEST/$(hostname) -E <>@<> <mailto:fabian.seelb...@ble.de> -f 
> opt/certs/test3.crt -k /opt/certs/test3.key -X BLE-IDM-SUB1
> Wed Feb 14 07:54:49 CET 2018
> Certificate at same location is already used by request with nickname 
> "201802070                                                                    
>                                                            95750".
> Error org.fedorahosted.certmonger.duplicate: Certificate at same location is 
> already used by request with nickname "20180207095750".
> 
> # ipa-getcert stop-tracking --id "20180207095750"
> Request "20180207095750" removed.
> 
> # date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K 
> TEST/$(hostname) -E <>@<> <mailto:fabian.seelb...@ble.de> -f 
> /opt/certs/test3.crt -k /opt/certs/test3.key -X BLE-IDM-SUB1
> Wed Feb 14 07:55:19 CET 2018
> New signing request "20180214065519" added.
> 
> # getcert list -i "20180214065519"
> Number of certificates and requests being tracked: 1.
> Request ID '20180214065519':
>         status: CA_REJECTED
>         ca-error: Server at https://<>/ipa/xml 
> <https://dpgrridm0577.idm.ble.de/ipa/xml> denied our request, giving up: 3009 
> (RPC failed at server.  invalid 'csr': subject alt name type RFC822Name is 
> forbidden for non-user principals).
>         stuck: yes
>         key pair storage: type=FILE,location='/opt/certs/test3.key'
>         certificate: type=FILE,location='/opt/certs/test3.crt'
>         CA: IPA
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: no

I'm not sure what the question is.

If the question is "why does my second getcert request fail" then it's
because you use resubmit not request for certs already being tracked.

If the quest is "why is my request rejected" I think that is pretty
clear already.

rob
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to