When I try adding it as an alt name: # certutil -R -d . -a -g 2048 -s "cn=elastic.our.net,o=our.net" \ -8 elastic.our.net,\*.elastic.our.net,zsece01.our.net,zsece02.our.net,zsece03.our.net \ > elastic.our.net.csr # ipa cert-request elastic.our.net.csr --principal host/elastic.our.net --profile wildcard ipa: ERROR: The service principal for subject alt name *.elastic.spx.net in certificate request does not exist
I'm not sure how to add a wildcard host principal... -- Bret Wortman [email protected] On Tue, Jun 7, 2022, at 11:07 AM, Alexander Bokovoy wrote: > On ti, 07 kesä 2022, Bret Wortman via FreeIPA-users wrote: >>I'm trying to create a wildcard certificate to use with some elasticsearch >>ECE systems and it's not working quite right yet. I found Fraser's blog at >>https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wildcard-certs.html >> and followed the directions there. After installing the cert chain on my ES >>servers, when I connect over the web I'm getting an SSL_ERROR_BAD_CERT_DOMAIN >>error, even though the cert contains: >> >>Subject Name >> Organization OUR.NET 201804300753 >> Common Name *.elastic.our.net >> >>Issuer Name >> Organization OUR.NET 201804300753 >> Common Name Certificate Authority >> >>Validity >> Not Before Tue, 07 Jun 2022 14:48:08 GMT >> Not After Fri, 07 Jun 2024 14:48:08 GMT >> >>Subject Alt Names >> DNS Name zsece01.our.net >> DNS Name zsece02.our.net >> DNS Name zsece013our.net >> >>: >> >>I've tried including elastic.our.net as an alt name too and it didn't prevent >>the error. What am I missing? > > You need to have dnsName: *.elastic.our.net in the SAN as well. Most > browsers stopped looking into CN already for CAs from the root CA list > but recently Firefox and Chrome also applied this to private CAs as > well. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
