Re: [Freeipa-users] Get certificate for virtual host on many hosts
Le 07/01/2014 19:43, Petr Spacek a écrit : On 7.1.2014 19:40, Rob Crittenden wrote: Petr Spacek wrote: On 7.1.2014 19:21, Rob Crittenden wrote: Benjamin Soriano wrote: Hello all, Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate. I manage to request the certificate on one of the servers by doing the following : Create fake host on ds.example.com ipa host-add service.example.com ipa host-add-managedby service.example.com --hosts=srv1.example.com ipa service-add HTTP/service.example.com ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com Then request the certificate on srv1 : ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com It work pretty well. But if I add the second server that way : ... ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com ... ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state : Request ID '20140107165415': status: CA_REJECTED ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: yes key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt' CA: IPA ... Is this a normal behavior? If yes, what could be the right way to achieve what I want? Regards, The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step. I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately. I think that 'the right approach' is to issue separate certificates for srv1.example.com and srv2.example.com and add SAN (Subject Alternative Name) cn=service.example.com to both of them. See http://en.wikipedia.org/wiki/SubjectAltName I'm not sure how to get such certificate from FreeIPA. Rob, could you add some details? Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977 Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is on review :-) Indeed, lucky me. Thanks a lot guys! -- Benjamin soriano ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Get certificate for virtual host on many hosts
On Wed, 2014-01-08 at 09:51 +0100, Benjamin Soriano wrote: Le 07/01/2014 19:43, Petr Spacek a écrit : On 7.1.2014 19:40, Rob Crittenden wrote: Petr Spacek wrote: On 7.1.2014 19:21, Rob Crittenden wrote: Benjamin Soriano wrote: Hello all, Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate. I manage to request the certificate on one of the servers by doing the following : Create fake host on ds.example.com ipa host-add service.example.com ipa host-add-managedby service.example.com --hosts=srv1.example.com ipa service-add HTTP/service.example.com ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com Then request the certificate on srv1 : ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com It work pretty well. But if I add the second server that way : ... ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com ... ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state : Request ID '20140107165415': status: CA_REJECTED ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: yes key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt' CA: IPA ... Is this a normal behavior? If yes, what could be the right way to achieve what I want? Regards, The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step. I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately. I think that 'the right approach' is to issue separate certificates for srv1.example.com and srv2.example.com and add SAN (Subject Alternative Name) cn=service.example.com to both of them. See http://en.wikipedia.org/wiki/SubjectAltName I'm not sure how to get such certificate from FreeIPA. Rob, could you add some details? Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977 Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is on review :-) Indeed, lucky me. Thanks a lot guys! Benjamin, in the meanwhile, if you can use SNI on your servers, you could simply get an additional certificate for service.example.com for IPA, and copy it on both machines, then configure 2 sites that expose the same data. (easy if you use something like apache or nginx). Once the feature becomes available you can replace all the certs with 2 new certs with common alt name. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Get certificate for virtual host on many hosts
Benjamin Soriano wrote: Hello all, Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate. I manage to request the certificate on one of the servers by doing the following : Create fake host on ds.example.com ipa host-add service.example.com ipa host-add-managedby service.example.com --hosts=srv1.example.com ipa service-add HTTP/service.example.com ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com Then request the certificate on srv1 : ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com It work pretty well. But if I add the second server that way : ... ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com ... ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state : Request ID '20140107165415': status: CA_REJECTED ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: yes key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt' CA: IPA ... Is this a normal behavior? If yes, what could be the right way to achieve what I want? Regards, The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step. I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Get certificate for virtual host on many hosts
On 7.1.2014 19:21, Rob Crittenden wrote: Benjamin Soriano wrote: Hello all, Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate. I manage to request the certificate on one of the servers by doing the following : Create fake host on ds.example.com ipa host-add service.example.com ipa host-add-managedby service.example.com --hosts=srv1.example.com ipa service-add HTTP/service.example.com ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com Then request the certificate on srv1 : ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com It work pretty well. But if I add the second server that way : ... ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com ... ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state : Request ID '20140107165415': status: CA_REJECTED ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: yes key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt' CA: IPA ... Is this a normal behavior? If yes, what could be the right way to achieve what I want? Regards, The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step. I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately. I think that 'the right approach' is to issue separate certificates for srv1.example.com and srv2.example.com and add SAN (Subject Alternative Name) cn=service.example.com to both of them. See http://en.wikipedia.org/wiki/SubjectAltName I'm not sure how to get such certificate from FreeIPA. Rob, could you add some details? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Get certificate for virtual host on many hosts
Petr Spacek wrote: On 7.1.2014 19:21, Rob Crittenden wrote: Benjamin Soriano wrote: Hello all, Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate. I manage to request the certificate on one of the servers by doing the following : Create fake host on ds.example.com ipa host-add service.example.com ipa host-add-managedby service.example.com --hosts=srv1.example.com ipa service-add HTTP/service.example.com ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com Then request the certificate on srv1 : ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com It work pretty well. But if I add the second server that way : ... ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com ... ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state : Request ID '20140107165415': status: CA_REJECTED ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: yes key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt' CA: IPA ... Is this a normal behavior? If yes, what could be the right way to achieve what I want? Regards, The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step. I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately. I think that 'the right approach' is to issue separate certificates for srv1.example.com and srv2.example.com and add SAN (Subject Alternative Name) cn=service.example.com to both of them. See http://en.wikipedia.org/wiki/SubjectAltName I'm not sure how to get such certificate from FreeIPA. Rob, could you add some details? Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Get certificate for virtual host on many hosts
On 7.1.2014 19:40, Rob Crittenden wrote: Petr Spacek wrote: On 7.1.2014 19:21, Rob Crittenden wrote: Benjamin Soriano wrote: Hello all, Here is the situation. I have a web service (reachable via service.example.com) that run on two servers (srv1.example.com and srv2.example.com). The load is distributed on servers by a DNS round robin. And I want the certificate for https://service.example.com be managed by IPA (which is my root CA) and take advantage of certificate monitoring. The two servers are registered in IPA and can request their own certificate. I manage to request the certificate on one of the servers by doing the following : Create fake host on ds.example.com ipa host-add service.example.com ipa host-add-managedby service.example.com --hosts=srv1.example.com ipa service-add HTTP/service.example.com ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com Then request the certificate on srv1 : ipa-getcert request -r -f /etc/pki/certs/service.example.com.crt -k /etc/pki/private/service.example.com.key -N CN=service.example.com -D service.example.com -K HTTP/service.example.com It work pretty well. But if I add the second server that way : ... ipa host-add-managedby service.example.com --hosts=srv1.example.com,srv2.example.com ... ipa service-add-hosts HTTP/service.example.com --hosts=srv1.example.com,srv2.example.com I can only resquest the certificate on one of the servers. The first request is going well (no matter on which server I do it) and the second is stuck in this state : Request ID '20140107165415': status: CA_REJECTED ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: yes key pair storage: type=FILE,location='/etc/pki/private/service.example.com.key' certificate: type=FILE,location='/etc/pki/certs/service.example.com.crt' CA: IPA ... Is this a normal behavior? If yes, what could be the right way to achieve what I want? Regards, The problem is you would have two separate, valid certificates for the same service and we only store one at a time. The second request is going to try to revoke the original cert in order to issue another one. I'm guessing it is failing on the revocation step. I think you'll need to pick one server to manage it and manually copy it to any other servers. This loses the advantage of certmonger on the other boxes unfortunately. I think that 'the right approach' is to issue separate certificates for srv1.example.com and srv2.example.com and add SAN (Subject Alternative Name) cn=service.example.com to both of them. See http://en.wikipedia.org/wiki/SubjectAltName I'm not sure how to get such certificate from FreeIPA. Rob, could you add some details? Not currently possible, see https://fedorahosted.org/freeipa/ticket/3977 Benjamin, you are lucky. It is planed for FreeIPA 3.4 and the patch is on review :-) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users