Re: [Freeipa-users] Getting a certificate for an alias

2017-05-04 Thread Fraser Tweedale 
On Thu, May 04, 2017 at 10:30:39PM -0400, Steve Huston wrote:
> On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedale  wrote:
> > The fix for this was released in FreeIPA 4.5.  See ticket
> > https://pagure.io/freeipa/issue/6295.
> >
> 
> Excellent!  Any chance of that getting backported into the 4.4.x
> series available on RHEL7?
> 
Anecdotally it's unlikely, but it cannot hurt to file a ticket /
support case and ask for it.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting a certificate for an alias

2017-05-04 Thread Steve Huston 
On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedale  wrote:
> The fix for this was released in FreeIPA 4.5.  See ticket
> https://pagure.io/freeipa/issue/6295.
>

Excellent!  Any chance of that getting backported into the 4.4.x
series available on RHEL7?

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting a certificate for an alias

2017-05-04 Thread Fraser Tweedale 
On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote:
> I'm trying to use certmonger to get an SSL certificate on a web host
> which has an alias.  I added the alias as a principal alias to the
> host record in FreeIPA, and I added the service as well with the
> actual hostname and the alias.  However every time certmonger contacts
> the CA, the request is rejected with "The service principal for
> subject alt name ... does not exist" (or earlier, another similar
> error which has now been lost to the scrollback).
> 
> hostname: coathook.astro.princeton.edu
> Principal alias: host/coathook.astro.princeton@astro.princeton.edu
> Principal alias: host/puppet.astro.princeton@astro.princeton.edu
> 
> Principal alias: HTTP/coathook.astro.princeton@astro.princeton.edu
> Principal alias: HTTP/puppet.astro.princeton@astro.princeton.edu
> Service: HTTP
> Host Name: coathook.astro.princeton.edu
> 
> ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f
> /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N
> CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K
> HTTP/coathook.astro.princeton@astro.princeton.edu -C
> '/usr/sbin/apachectl graceful'
> 
> When I check with ipa-getcert list, I find:
> ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml
> failed request, will retry: 4001 (RPC failed at server.  The service
> principal for subject alt name puppet.astro.princeton.edu in
> certificate request does not exist).
> 
> Other attempts used the CN of puppet, and the Kerberos principal of
> puppet as well, and they also failed but with the slightly different
> error (I believe it was that the host does not exist).
> 
> So how does one create a certificate for an alias on a host?
> 
Hi Steve,

The fix for this was released in FreeIPA 4.5.  See ticket
https://pagure.io/freeipa/issue/6295.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting a certificate for an alias

2017-05-04 Thread Steve Huston 
I'm trying to use certmonger to get an SSL certificate on a web host
which has an alias.  I added the alias as a principal alias to the
host record in FreeIPA, and I added the service as well with the
actual hostname and the alias.  However every time certmonger contacts
the CA, the request is rejected with "The service principal for
subject alt name ... does not exist" (or earlier, another similar
error which has now been lost to the scrollback).

hostname: coathook.astro.princeton.edu
Principal alias: host/coathook.astro.princeton@astro.princeton.edu
Principal alias: host/puppet.astro.princeton@astro.princeton.edu

Principal alias: HTTP/coathook.astro.princeton@astro.princeton.edu
Principal alias: HTTP/puppet.astro.princeton@astro.princeton.edu
Service: HTTP
Host Name: coathook.astro.princeton.edu

ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f
/etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N
CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K
HTTP/coathook.astro.princeton@astro.princeton.edu -C
'/usr/sbin/apachectl graceful'

When I check with ipa-getcert list, I find:
ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml
failed request, will retry: 4001 (RPC failed at server.  The service
principal for subject alt name puppet.astro.princeton.edu in
certificate request does not exist).

Other attempts used the CN of puppet, and the Kerberos principal of
puppet as well, and they also failed but with the slightly different
error (I believe it was that the host does not exist).

So how does one create a certificate for an alias on a host?

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project