Hi Alex,

I have now managed to create valid certificates after following your
provided example however I do have some questions.

Firstly in my situation there are multiple proxy instances which are
servicing this domain, for this reason I attempted to add two hosts to my
dummy host. This part worked fine and produced the following:

[11:43] root net-ipa1 ~ # ipa service-add-host HTTP/gogs.domain.net --host
net-proxy1.domain.net --host net-proxy2.domain.net
  Principal name: HTTP/gogs.domain....@domain.net
  Principal alias: HTTP/gogs.domain....@domain.net
  Managed by: gogs.domain.net, net-proxy1.domain.net, net-proxy2.domain.net

AFAIK that looks good although i am not entirely clear on how that
configuration would effect FreeIPA behaviour.

Following the rest of the example did not work for me however things
usually don't work if I don't understand what I'm doing! Ignoring that for
a second, I managed to add my CSR to the service principal via the IPA
interface and the produced certificate was accepted by both proxy instances
so I have achieved what i needed to.

I am interested in where  it all went wrong and always interested in
improving my understanding of IPA itself so wanted to share the output in
case you were able to provide any information! You can see the domain
redacted log below:


No problem if you don't have time, thanks for helping progress my issue.

Many thanks,


On Wed, Jan 17, 2018 at 11:24 AM Callum Guy <callum....@x-on.co.uk> wrote:

> Thanks so much Alexander - I'll have a go and come back if I experience
> any difficulties.
> Have a good day!
> On Wed, Jan 17, 2018 at 11:06 AM Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>> On ke, 17 tammi 2018, Callum Guy via FreeIPA-users wrote:
>> >Hi All,
>> >
>> >I'm planning to add a subdomain certificate for an internal web service
>> >using FreeIPA CA however in my example I am applying the certificate to
>> an
>> >interim proxy server.
>> >
>> >For example I want to sign a certificate for "web.domain.com" and serve
>> it
>> >on host "proxy.domain.com".
>> >
>> >Based on what I have learnt from using FreeIPA so far I presume the
>> correct
>> >way to do this is via service principal: HTTP/
>> proxy.domain....@domain.com
>> >
>> >When I attempt to create the certificate from my CSR I get the following
>> >error report:
>> >
>> >"invalid 'csr': hostname in subject of request 'web.domain.com' does not
>> >match name or aliases of principal 'HTTP/proxy.domain....@domain.com'"
>> >
>> >Ii have tried adding aliases to the principal however I haven't been able
>> >to make it work - a lack of understanding I think!
>> >
>> >I am sure that I am just doing something wrong and it would be great if
>> >someone could help explain what I should be doing.
>> See the thread at
>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IO6BSB6K76E5XRM4IQEFJRTIPK6KKXFX/
>> for details on how to achieve that.
>> --
>> / Alexander Bokovoy
> --
> Callum Guy
> Head of Information Security
> X-on

Callum Guy
Head of Information Security


*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to