Hello,
I have issued a certificate for an AWS ELB.
The certificate is attached to a psedo-host and service named lb.example.com.
There is a certificate and the certificate ID is 21.
The certificate was created on the FreeIPA server.
(as indicated here
https://www.redhat.com/archives/freeipa-users/2015-September/msg00127.html)
I also created 2 more certificates for the back-end servers, installed them and
the work just fine when I connect directly to the back-end server.
However, when I connect thought the LB browsers are complaining because the
back-end certificate does not contain the DNS name of the LB.
So, I revoked the previous certificates and tried to re-create them via:
sudo ipa-getcert request -f ~/certificates/certs/http_certificate.pem -k
~/certificates/keys/host_key.key -K HTTP/$(hostname -f) -N
CN=$(hostname),O=EXAMPLE.COM -g 2048 -D lb.example.com -D host01.example.com -D
aws-host01-example.com -D webserver01.example.com
(The command was executed on the back-end servers in order to avoid
transferring the files)
The request fails with this error:
ca-error: Server at https://ipa01.example.com/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient access:
Insufficient privilege to create a certificate with subject alt name
'lb.example.com'.).
Do I get this error because there is a certificate for this service already? If
so, how can I bypass this?
If it's not possible, I will recreate the LB certificate and add all DNS names
in that, but it's less than ideal since if I add a new server in the future, I
will need to re-issue the certificate.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
