I am getting an odd error when trying to issue a certificate with an IP
address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit
old, but it should work, AFAIK.
Here is the host for which I want to issue the certificate:
$ ipa host-show node01-idrac.pemlab.rdu2.redhat.com
Host name: node01-idrac.pemlab.rdu2.redhat.com
Principal name:
host/node01-idrac.pemlab.rdu2.redhat....@pemlab.rdu2.redhat.com
Principal alias:
host/node01-idrac.pemlab.rdu2.redhat....@pemlab.rdu2.redhat.com
Password: False
Keytab: False
Managed by: node01-idrac.pemlab.rdu2.redhat.com
Here is the CSR:
$ openssl req -noout -text -in node01-idrac.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=node01-idrac.pemlab.rdu2.redhat.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
⋮
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:node01-idrac.pemlab.rdu2.redhat.com,
DNS:node01-idrac, DNS:10.11.173.11
Signature Algorithm: sha256WithRSAEncryption
⋮
The DNS records:
$ ipa dnsrecord-show pemlab.rdu2.redhat.com node01-idrac
Record name: node01-idrac
A record: 10.11.173.11
$ ipa dnsrecord-show 173.11.10.in-addr.arpa 11
Record name: 11
PTR record: node01-idrac.pemlab.rdu2.redhat.com.
$ ipa cert-request node01-idrac.csr --certificate-out node01-idrac.crt \
--principal
host/node01-idrac.pemlab.rdu2.redhat....@pemlab.rdu2.redhat.com
ipa: ERROR: The service principal for subject alt name 10.11.173.11 in
certificate request does not exist
From my examination of ipaserver/plugins/cert.py, I don't think that
this has anything to do with validation of the IP address, as the
exception seem to be raised before _validate_san_ips ever gets called.
Beyond that, however, I really don't know what's going on.
I've filed this as https://bugzilla.redhat.com/show_bug.cgi?id=1960041,
but I was wondering if anyone on this list has seen this behavior or can
spot an error that I'm making.
Thanks!
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
