Hi Rob
The SAN would also work really well since we are only using subdomains and hardly ever a new domain. I tried the following: ipa-getcert resubmit -D HTTP/sub2.example.com -i 20210910082436 But when I check ipa-getcert lis it says: ca-error: Server at https://ipaserver.example.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'sub1.example.com' does not match name or aliases of principal 'HTTP/sub2.example....@example.com'). I have added ipa service-add HTTP/sub2.example.com before running the command and a A record is in the DNS for sub2.example.com I am pretty sure that i am not understanding something or missing a step but what am I missing? Regards Per On 9 September 2021 at 19:49, Rob Crittenden <rcrit...@redhat.com> wrote: Per Qvindesland via FreeIPA-users wrote: Hi I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible? I have tried adding the hostname so ipa host-add sub2.mydomain.com then ipa service-add HTTP/sub2.mydomain.com, but when I do: ipa-getcert request -K HTTP/sub2.mydomain.com -k /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr -N sub2.mydomain.com then ipa-getcert list says it fails with: status: CA_REJECTED ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/sub2.mydomain....@mydomain.com,cn=services,cn=accounts,dc=mydomain,dc=com'.) How can I resolve this? certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the machine to authentication. By default it can only request certificates for its own hostname. You can use ipa service-add-host to add the host to the new service name. Additionally, do you need a completely separate certificate or do you want to add a SAN to the existing one? To do that you'd run: ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request> rob
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
