[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
On Tue, Dec 8, 2020 at 5:32 PM Derek Atkins wrote: > > > On Tue, December 8, 2020 10:17 am, Yedidyah Bar David wrote: > > On Tue, Dec 8, 2020 at 5:09 PM Derek Atkins wrote: > >> > [snip] > >> Is there any chance this could be added to the --help output? > >> An actual example would have been very useful. > > > > Frankly, I'd prefer people (like you) that need to use these > > utilities manually, to search the net if they have problems, > > than spending hours debating about how long --help should be, > > what should be included in it and what not, what link we might > > provide for further reference (and please note that I didn't > > include such a link in my original reply - simply because I > > failed to find one that seemed "most suitable"), etc. That said, > > patches are welcome! If you think you can improve the current > > text in a conflict-free way, which everyone will agree to, please > > go ahead and push a patch! :-) > > I'll take a look at doing that. Thanks. > > I did google some before asking here, but there were very few hits for > usage of pki-enroll-request.sh -- although I admit I did not try many > different search terms. Most of the results were not ovirt related nor > related to this script at all. Of course. Many people had to struggle with SAN, together with oVirt, when it became more common, and gradually replaced CN in Subject. > > > BTW: What I personally do, is to search the code and/or relevant > > logs to see what other tools (the engine, engine-setup, in this > > case) do, as "reference examples". > > That presumes having ready access to (in this case) ovirt sources -- which > you obviously do but I do not. As a user, I don't feel I should need to > go refer to the sources to determine how a utility program should be > properly used. IMHO that's what documentation is used for. However I > will keep that in mind for my next issue ;) Of course I agree, that users are not *expected* to search the sources. But with open-source, at least they *can* :-). And, BTW, my emphasis was on searching the logs. This is often more helpful than searching the sources, if the logs are good. > > But I do understand your PoV -- for GnuCash I often reference the sources > when answering people's questions. However that's a case where I am (or > was) one of the developers so I do have the sources handy. :) Exactly. I think it's more a matter of habit. When I was a sysadmin, I used to search sources much less than today (as a developer), also in cases where I am a "casual user", in projects not closely involving my main work. > > Thanks again. I am all set now! Thanks for the report, and best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5YYYPNTVMSQVQDWAOB5NRRVAKNDAUKCC/
[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
On Tue, December 8, 2020 10:17 am, Yedidyah Bar David wrote: > On Tue, Dec 8, 2020 at 5:09 PM Derek Atkins wrote: >> [snip] >> Is there any chance this could be added to the --help output? >> An actual example would have been very useful. > > Frankly, I'd prefer people (like you) that need to use these > utilities manually, to search the net if they have problems, > than spending hours debating about how long --help should be, > what should be included in it and what not, what link we might > provide for further reference (and please note that I didn't > include such a link in my original reply - simply because I > failed to find one that seemed "most suitable"), etc. That said, > patches are welcome! If you think you can improve the current > text in a conflict-free way, which everyone will agree to, please > go ahead and push a patch! :-) I'll take a look at doing that. I did google some before asking here, but there were very few hits for usage of pki-enroll-request.sh -- although I admit I did not try many different search terms. Most of the results were not ovirt related nor related to this script at all. > BTW: What I personally do, is to search the code and/or relevant > logs to see what other tools (the engine, engine-setup, in this > case) do, as "reference examples". That presumes having ready access to (in this case) ovirt sources -- which you obviously do but I do not. As a user, I don't feel I should need to go refer to the sources to determine how a utility program should be properly used. IMHO that's what documentation is used for. However I will keep that in mind for my next issue ;) But I do understand your PoV -- for GnuCash I often reference the sources when answering people's questions. However that's a case where I am (or was) one of the developers so I do have the sources handy. :) Thanks again. I am all set now! -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AK42QT53KEZ4BXSCXX6K4VXDVRBRGN3R/
[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
On Tue, Dec 8, 2020 at 5:09 PM Derek Atkins wrote: > > Hi Didi, > > On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote: > > On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins wrote: > >> > >> Hi, > >> > >> I'm running a single-host, hosted-engine Ovirt deployment, version > >> 4.3.10 > >> (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert > >> does > >> not have a SubjectAltName. > >> > >> If I try to use pki-enroll-request.sh to rebuild the host cert and > >> follow > >> the instructions to add a --san, I get an error: > >> > >> /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me > >> --san=host.na.me > > > > Please try with '--san=DNS:host.na.me'. > > AHA, thank you... Thank worked. > > >> Using configuration from openssl.conf > >> Check that the request matches the signature > >> Signature ok > >> The Subject's Distinguished Name is as follows > >> organizationName :PRINTABLE:'My Org Name' > >> commonName:PRINTABLE:'host.na.me' > >> ERROR: adding extensions in section v3_ca_san > >> 139875647600528:error:2207507C:X509 V3 > >> routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: > >> 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error > >> in > >> extension:v3_conf.c:95:name=subjectAltName, value=host.na.me > >> Cannot sign certificate > >> > >> Am I using this script incorrectly? > > > > You are using it well. --san argument is passed as-is to openssl's > > 'subjectAltName', which requires a prefix to tell its type. Search the > > net for 'openssl subjectAltName' for other examples. > > Is there any chance this could be added to the --help output? > An actual example would have been very useful. Frankly, I'd prefer people (like you) that need to use these utilities manually, to search the net if they have problems, than spending hours debating about how long --help should be, what should be included in it and what not, what link we might provide for further reference (and please note that I didn't include such a link in my original reply - simply because I failed to find one that seemed "most suitable"), etc. That said, patches are welcome! If you think you can improve the current text in a conflict-free way, which everyone will agree to, please go ahead and push a patch! :-) BTW: What I personally do, is to search the code and/or relevant logs to see what other tools (the engine, engine-setup, in this case) do, as "reference examples". Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/LBCZW3HZNGJIXZCONQJSE4IJZ7LB74FM/
[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
Hi Didi, On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote: > On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins wrote: >> >> Hi, >> >> I'm running a single-host, hosted-engine Ovirt deployment, version >> 4.3.10 >> (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert >> does >> not have a SubjectAltName. >> >> If I try to use pki-enroll-request.sh to rebuild the host cert and >> follow >> the instructions to add a --san, I get an error: >> >> /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me >> --san=host.na.me > > Please try with '--san=DNS:host.na.me'. AHA, thank you... Thank worked. >> Using configuration from openssl.conf >> Check that the request matches the signature >> Signature ok >> The Subject's Distinguished Name is as follows >> organizationName :PRINTABLE:'My Org Name' >> commonName:PRINTABLE:'host.na.me' >> ERROR: adding extensions in section v3_ca_san >> 139875647600528:error:2207507C:X509 V3 >> routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: >> 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error >> in >> extension:v3_conf.c:95:name=subjectAltName, value=host.na.me >> Cannot sign certificate >> >> Am I using this script incorrectly? > > You are using it well. --san argument is passed as-is to openssl's > 'subjectAltName', which requires a prefix to tell its type. Search the > net for 'openssl subjectAltName' for other examples. Is there any chance this could be added to the --help output? An actual example would have been very useful. Thanks again! > Best regards, > -- > Didi -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UU4NAMQXEGUDLYG2WJJILTJZ3QRYVCRA/
[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins wrote: > > Hi, > > I'm running a single-host, hosted-engine Ovirt deployment, version 4.3.10 > (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert does > not have a SubjectAltName. > > If I try to use pki-enroll-request.sh to rebuild the host cert and follow > the instructions to add a --san, I get an error: > > /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me > --san=host.na.me Please try with '--san=DNS:host.na.me'. > Using configuration from openssl.conf > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > organizationName :PRINTABLE:'My Org Name' > commonName:PRINTABLE:'host.na.me' > ERROR: adding extensions in section v3_ca_san > 139875647600528:error:2207507C:X509 V3 > routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: > 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in > extension:v3_conf.c:95:name=subjectAltName, value=host.na.me > Cannot sign certificate > > Am I using this script incorrectly? You are using it well. --san argument is passed as-is to openssl's 'subjectAltName', which requires a prefix to tell its type. Search the net for 'openssl subjectAltName' for other examples. Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TVLEO7WSZYWLNXVQTW5F2RPVL4WRFE3U/
