On 7.1.2014 19:40, Rob Crittenden wrote:
Petr Spacek wrote:
On 7.1.2014 19:21, Rob Crittenden wrote:
Benjamin Soriano wrote:
Hello all,

Here is the situation. I have a web service (reachable via
service.example.com) that run on two servers (srv1.example.com and
srv2.example.com). The load is distributed on servers by a DNS round
And I want the certificate for https://service.example.com be managed by
IPA (which is my root CA) and take advantage of certificate monitoring.
The two servers are registered in IPA and can request their own

I manage to request the certificate on one of the servers by doing the
following :

Create fake host on ds.example.com
 > ipa host-add service.example.com
 > ipa host-add-managedby service.example.com --hosts=srv1.example.com
 > ipa service-add HTTP/service.example.com
 > ipa service-add-hosts HTTP/service.example.com

Then request the certificate on srv1 :
 > ipa-getcert request  -r -f /etc/pki/certs/service.example.com.crt -k
/etc/pki/private/service.example.com.key -N CN=service.example.com -D
service.example.com -K HTTP/service.example.com

It work pretty well. But if I add the second server that way :
 > ...
 > ipa host-add-managedby service.example.com
 > ...
 > ipa service-add-hosts HTTP/service.example.com

I can only resquest the certificate on one of the servers. The first
request is going well (no matter on which server I do it) and the second
is stuck in this state :

Request ID '20140107165415':
         status: CA_REJECTED
         ca-error: Server denied our request, giving up: 2100 (RPC
failed at server.  Insufficient access: not allowed to perform this
         stuck: yes
         key pair storage:
         CA: IPA

Is this a normal behavior?

If yes, what could be the right way to achieve what I want?


The problem is you would have two separate, valid certificates for the
service and we only store one at a time. The second request is going
to try to
revoke the original cert in order to issue another one. I'm guessing
it is
failing on the revocation step.

I think you'll need to pick one server to manage it and manually copy
it to
any other servers. This loses the advantage of certmonger on the other

I think that 'the right approach' is to issue separate certificates for
srv1.example.com and srv2.example.com and add SAN (Subject Alternative
Name) cn=service.example.com to both of them.


I'm not sure how to get such certificate from FreeIPA. Rob, could you
add some details?

Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977

Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is on review :-)

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to