On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote: > I'm trying to use certmonger to get an SSL certificate on a web host > which has an alias. I added the alias as a principal alias to the > host record in FreeIPA, and I added the service as well with the > actual hostname and the alias. However every time certmonger contacts > the CA, the request is rejected with "The service principal for > subject alt name ... does not exist" (or earlier, another similar > error which has now been lost to the scrollback). > > hostname: coathook.astro.princeton.edu > Principal alias: host/coathook.astro.princeton....@astro.princeton.edu > Principal alias: host/puppet.astro.princeton....@astro.princeton.edu > > Principal alias: HTTP/coathook.astro.princeton....@astro.princeton.edu > Principal alias: HTTP/puppet.astro.princeton....@astro.princeton.edu > Service: HTTP > Host Name: coathook.astro.princeton.edu > > ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f > /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N > CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K > HTTP/coathook.astro.princeton....@astro.princeton.edu -C > '/usr/sbin/apachectl graceful' > > When I check with ipa-getcert list, I find: > ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml > failed request, will retry: 4001 (RPC failed at server. The service > principal for subject alt name puppet.astro.princeton.edu in > certificate request does not exist). > > Other attempts used the CN of puppet, and the Kerberos principal of > puppet as well, and they also failed but with the slightly different > error (I believe it was that the host does not exist). > > So how does one create a certificate for an alias on a host? > Hi Steve,
The fix for this was released in FreeIPA 4.5. See ticket https://pagure.io/freeipa/issue/6295. Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
