Benjamin Soriano wrote:
Hello all,

Here is the situation. I have a web service (reachable via that run on two servers ( and The load is distributed on servers by a DNS round robin.
And I want the certificate for be managed by
IPA (which is my root CA) and take advantage of certificate monitoring.
The two servers are registered in IPA and can request their own

I manage to request the certificate on one of the servers by doing the
following :

Create fake host on
 > ipa host-add
 > ipa host-add-managedby
 > ipa service-add HTTP/
 > ipa service-add-hosts HTTP/

Then request the certificate on srv1 :
 > ipa-getcert request  -r -f /etc/pki/certs/ -k
/etc/pki/private/ -N -D -K HTTP/

It work pretty well. But if I add the second server that way :
 > ...
 > ipa host-add-managedby,
 > ...
 > ipa service-add-hosts HTTP/,

I can only resquest the certificate on one of the servers. The first
request is going well (no matter on which server I do it) and the second
is stuck in this state :

Request ID '20140107165415':
         status: CA_REJECTED
         ca-error: Server denied our request, giving up: 2100 (RPC
failed at server.  Insufficient access: not allowed to perform this
         stuck: yes
         key pair storage:
         CA: IPA

Is this a normal behavior?

If yes, what could be the right way to achieve what I want?


The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step.

I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately.


Freeipa-users mailing list

Reply via email to