That's an incredible response, thank you so much Alexander.

I'll take my time digesting that and look into correcting the current

With all that information I am pretty certain I can resolve several other
mis-configured services, I can't thank you enough!

On Wed, Jan 17, 2018 at 4:38 PM Alexander Bokovoy <>

> On ke, 17 tammi 2018, Callum Guy wrote:
> >Hi Alex,
> >
> >I have now managed to create valid certificates after following your
> >provided example however I do have some questions.
> >
> >Firstly in my situation there are multiple proxy instances which are
> >servicing this domain, for this reason I attempted to add two hosts to my
> >dummy host. This part worked fine and produced the following:
> >
> >[11:43] root net-ipa1 ~ # ipa service-add-host HTTP/
> --host
> > --host
> >  Principal name: HTTP/
> >  Principal alias: HTTP/
> >  Managed by:,,
> >
> >AFAIK that looks good although i am not entirely clear on how that
> >configuration would effect FreeIPA behaviour.
> >
> >Following the rest of the example did not work for me however things
> >usually don't work if I don't understand what I'm doing! Ignoring that for
> >a second, I managed to add my CSR to the service principal via the IPA
> >interface and the produced certificate was accepted by both proxy
> instances
> >so I have achieved what i needed to.
> >
> >I am interested in where  it all went wrong and always interested in
> >improving my understanding of IPA itself so wanted to share the output in
> >case you were able to provide any information! You can see the domain
> >redacted log below:
> You did re-issued a certificate for a wrong service on a wrong host.
> You wanted to issue certs for HTTP/ but did so for
> HTTP/ The latter is not managed by
>, so there is an error.
> If I understood your setup, it is the following:
>   - main host visible to users is, they would
>     authenticate using GSSAPI to HTTP/
>   - is actually represented by and
> In case of IPA this means
>     only exists within IPA database but not as a real (enrolled) host
>   - HTTP/ would need to have aliases
>     HTTP/ and HTTP/ to allow
>     web services on net-proxy1 and net-proxy2 to handle Kerberos
>     authentication
>   - and should not have
>     actual HTTP/ services defined in IPA
> This means you'd need to perform something like the following steps
> (below {} is relying on a shell expansion feature, e.g. {foo{1,2}} would
> expand into "foo1 foo2" and --bar={foo{1,2}} would expand into
> "--bar=foo1 --bar=foo2"). Note that I haven't tested this at all, only
> checked that IPA commands use proper arguments/options.
>  1. ipa host-add
>  2. ipa service-add HTTP/
>  3. ipa service-add-host HTTP/ --hosts={net-proxy{1,2}.
>  4. ipa service-add-principal HTTP/ {HTTP/net-proxy{1,2}.
>  5. ipa service-allow-create-keytab HTTP/
> --hosts={net-proxy{1,2}}
>  6. ipa service-allow-retrieve-keytab HTTP/
> --hosts={net-proxy{1,2}}
> Now, we have a host This host has HTTP/
> service which is also known to KDC as HTTP/ and
> HTTP/ The principal HTTP/ can be
> managed by hosts and,
> meaning these hosts can create and retrieve keytab for the
> HTTP/ principal.
> Next step is to issue the certificate and the keytab. There is a
> problem though because you should retrieve them at one place only or
> otherwise the second issuance would invalidate the first one. Choose
> which host will be the primary one and make sure you have a mechanism to
> distribute the retrieved certificate and its private key (and a Kerberos
> keytab) to the second one.
> Let's say it would be a On net-proxy1 if you have
> Apache and mod_nss installed, you can use its /etc/httpd/alias database:
>  ipa-getcert request -n Server-Cert \
>                      -d /etc/httpd/alias \
>                      -t 'NSS Certificate DB' \
>                      -p /etc/httpd/alias/pwdfile.txt \
>                      -N \
>                      -D \
>                      -D \
>                      -D \
>                      -K HTTP/ \
>                      -K HTTP/ \
>                      -K HTTP/ \
>                      -C /path/to/rotation/script
> rotation script is called by certmonger after it has re-issued and saved
> the script. IPA servers have their own:
> /usr/libexec/ipa/certmonger/restart_httpd but all it basically does is
> to determine whether httpd is running and then restarting it to apply a
> new certificate because mod_nss only reads it once. You can write this
> script using any language (a shell, for example) and it could do what
> you want:
>  - copy nss database to net-proxy2, for example
>  - trigger restart of httpd on net-proxy1 and net-proxy2
>  - something else
> For the keytab you do the same but as service keys aren't rotated
> automatically, you can generate one at net-proxy1 and retrieve it at
> net-proxy2:
> On net-proxy1 as root:
>  kinit -k
>  ipa-getkeytab -p HTTP/ -k /path/to/
> On net-proxy2 as root:
>  kinit -k
>  ipa-getkeytab -p HTTP/ -k /path/to/ -r
> '-r' option retrieves the keytab without re-generating it, so that it
> stays valid.
> Now you'd have HTTP/ principal's key as keytabs at both
> hosts.
> You can use this keytab to authenticate clients talking to
> HTTP/ or HTTP/ because the key
> is the same, only its name differs.
> Various applications have different ways to specify that any key from
> the keytab could be used. For example, mod_auth_gssapi in Apache has a
> default mode where any acceptor name (Kerberos term for the target
> principal at server side) is accepted.
> --
> / Alexander Bokovoy

Callum Guy
Head of Information Security


*0333 332 0000  | <>  |   ** 
<>   <> 
  <> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to