Per Qvindesland wrote:
> Hi Rob
>
> The SAN would also work really well since we are only using subdomains
> and hardly ever a new domain.
>
> I tried the following:
> ipa-getcert resubmit -D HTTP/sub2.example.com -i 20210910082436
>
> But when I check ipa-getcert lis it says:
> ca-error: Server at https://ipaserver.example.com/ipa/json
> denied our request, giving up: 3009 (invalid 'csr': hostname in subject
> of request 'sub1.example.com' does not match name or aliases of
> principal 'HTTP/[email protected]').
>
> I have added ipa service-add HTTP/sub2.example.com before running the
> command and a A record is in the DNS for sub2.example.com
>
> I am pretty sure that i am not understanding something or missing a step
> but what am I missing?
Sorry, that's on me.
This will work:
Add the new host and set managed by as a lark. I don't think it's
required but meh. I'm using --force because I didn't bother to setup DNS
for this fake host.
ipa host-add newhost.example.test --force
ipa host-add-managedby newhost.example.test --host ipa.example.test
Add a new Apache service for the new host and let the main host manage it:
ipa service-add HTTP/newhost.example.test --force
ipa service-add-host HTTP/newhost.example.test --host ipa.example.test
Resubmit the request for the SAN:
getcert resubmit -D newhost.example.test -f /var/lib/ipa/certs/httpd.crt
-w -v
View the new SAN:
openssl x509 -text -noout -in /var/lib/ipa/certs/httpd.crt
...
X509v3 Subject Alternative Name:
DNS:newhost.example.test, othername:<unsupported>,
othername:<unsupported>, DNS:ipa.example.test
...
Both the new and original hosts are listed as DNS SAN.
rob
>
> Regards
> Per
>
>
>
>
> On 9 September 2021 at 19:49, Rob Crittenden <[email protected]> wrote:
>
>> Per Qvindesland via FreeIPA-users wrote:
>>> Hi
>>>
>>> I am using the IPA server as the CA for our Apache SSL's, but I am
>>> wondering if it's possible to have a second SSL that's not the same as
>>> the hostname, meaning I have already sub1.mydomain.com but I would like
>>> to add also sub2.mydomain.com for another site, is this possible?
>>>
>>> I have tried adding the hostname so ipa host-add sub2.mydomain.com
>>> then ipa service-add HTTP/sub2.mydomain.com, but when I do:
>>> ipa-getcert request -K HTTP/sub2.mydomain.com -k
>>> /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr
>>> -N sub2.mydomain.com then ipa-getcert list says it fails with:
>>> status: CA_REJECTED
>>> ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our
>>> request, giving up: 2100 (Insufficient access: Insufficient 'write'
>>> privilege to the 'userCertificate' attribute of entry
>>> 'krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=mydomain,dc=com'.)
>>>
>>> How can I resolve this?
>>
>> certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the
>> machine to authentication. By default it can only request certificates
>> for its own hostname.
>>
>> You can use ipa service-add-host to add the host to the new service name.
>>
>> Additionally, do you need a completely separate certificate or do you
>> want to add a SAN to the existing one? To do that you'd run:
>>
>> ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request>
>>
>> rob
>>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
