Petr Spacek wrote:
On 7.1.2014 19:21, Rob Crittenden wrote:
Benjamin Soriano wrote:
Hello all,

Here is the situation. I have a web service (reachable via that run on two servers ( and The load is distributed on servers by a DNS round
And I want the certificate for be managed by
IPA (which is my root CA) and take advantage of certificate monitoring.
The two servers are registered in IPA and can request their own

I manage to request the certificate on one of the servers by doing the
following :

Create fake host on
 > ipa host-add
 > ipa host-add-managedby
 > ipa service-add HTTP/
 > ipa service-add-hosts HTTP/

Then request the certificate on srv1 :
 > ipa-getcert request  -r -f /etc/pki/certs/ -k
/etc/pki/private/ -N -D -K HTTP/

It work pretty well. But if I add the second server that way :
 > ...
 > ipa host-add-managedby,
 > ...
 > ipa service-add-hosts HTTP/,

I can only resquest the certificate on one of the servers. The first
request is going well (no matter on which server I do it) and the second
is stuck in this state :

Request ID '20140107165415':
         status: CA_REJECTED
         ca-error: Server denied our request, giving up: 2100 (RPC
failed at server.  Insufficient access: not allowed to perform this
         stuck: yes
         key pair storage:
         CA: IPA

Is this a normal behavior?

If yes, what could be the right way to achieve what I want?


The problem is you would have two separate, valid certificates for the
service and we only store one at a time. The second request is going
to try to
revoke the original cert in order to issue another one. I'm guessing
it is
failing on the revocation step.

I think you'll need to pick one server to manage it and manually copy
it to
any other servers. This loses the advantage of certmonger on the other

I think that 'the right approach' is to issue separate certificates for and and add SAN (Subject Alternative
Name) to both of them.


I'm not sure how to get such certificate from FreeIPA. Rob, could you
add some details?

Not currently possible, see


Freeipa-users mailing list

Reply via email to