Hello all,

Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate.

I manage to request the certificate on one of the servers by doing the following :

Create fake host on ds.example.com
> ipa host-add service.example.com
> ipa host-add-managedby service.example.com --hosts=srv1.example.com
> ipa service-add HTTP/service.example.com
> ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com

Then request the certificate on srv1 :
> ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com

It work pretty well. But if I add the second server that way :
> ...
> ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com
> ...
> ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com

I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state :

Request ID '20140107165415':
        status: CA_REJECTED
ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command).
        stuck: yes
key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt'
        CA: IPA
        ...

Is this a normal behavior?

If yes, what could be the right way to achieve what I want?

Regards,
--
Benjamin Soriano

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to