Re: [Freeipa-users] Getting a certificate for an alias
On Thu, May 04, 2017 at 10:30:39PM -0400, Steve Huston wrote: > On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedalewrote: > > The fix for this was released in FreeIPA 4.5. See ticket > > https://pagure.io/freeipa/issue/6295. > > > > Excellent! Any chance of that getting backported into the 4.4.x > series available on RHEL7? > Anecdotally it's unlikely, but it cannot hurt to file a ticket / support case and ask for it. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Getting a certificate for an alias
On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedalewrote: > The fix for this was released in FreeIPA 4.5. See ticket > https://pagure.io/freeipa/issue/6295. > Excellent! Any chance of that getting backported into the 4.4.x series available on RHEL7? -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Getting a certificate for an alias
On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote: > I'm trying to use certmonger to get an SSL certificate on a web host > which has an alias. I added the alias as a principal alias to the > host record in FreeIPA, and I added the service as well with the > actual hostname and the alias. However every time certmonger contacts > the CA, the request is rejected with "The service principal for > subject alt name ... does not exist" (or earlier, another similar > error which has now been lost to the scrollback). > > hostname: coathook.astro.princeton.edu > Principal alias: host/coathook.astro.princeton@astro.princeton.edu > Principal alias: host/puppet.astro.princeton@astro.princeton.edu > > Principal alias: HTTP/coathook.astro.princeton@astro.princeton.edu > Principal alias: HTTP/puppet.astro.princeton@astro.princeton.edu > Service: HTTP > Host Name: coathook.astro.princeton.edu > > ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f > /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N > CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K > HTTP/coathook.astro.princeton@astro.princeton.edu -C > '/usr/sbin/apachectl graceful' > > When I check with ipa-getcert list, I find: > ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml > failed request, will retry: 4001 (RPC failed at server. The service > principal for subject alt name puppet.astro.princeton.edu in > certificate request does not exist). > > Other attempts used the CN of puppet, and the Kerberos principal of > puppet as well, and they also failed but with the slightly different > error (I believe it was that the host does not exist). > > So how does one create a certificate for an alias on a host? > Hi Steve, The fix for this was released in FreeIPA 4.5. See ticket https://pagure.io/freeipa/issue/6295. Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Getting a certificate for an alias
I'm trying to use certmonger to get an SSL certificate on a web host which has an alias. I added the alias as a principal alias to the host record in FreeIPA, and I added the service as well with the actual hostname and the alias. However every time certmonger contacts the CA, the request is rejected with "The service principal for subject alt name ... does not exist" (or earlier, another similar error which has now been lost to the scrollback). hostname: coathook.astro.princeton.edu Principal alias: host/coathook.astro.princeton@astro.princeton.edu Principal alias: host/puppet.astro.princeton@astro.princeton.edu Principal alias: HTTP/coathook.astro.princeton@astro.princeton.edu Principal alias: HTTP/puppet.astro.princeton@astro.princeton.edu Service: HTTP Host Name: coathook.astro.princeton.edu ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K HTTP/coathook.astro.princeton@astro.princeton.edu -C '/usr/sbin/apachectl graceful' When I check with ipa-getcert list, I find: ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml failed request, will retry: 4001 (RPC failed at server. The service principal for subject alt name puppet.astro.princeton.edu in certificate request does not exist). Other attempts used the CN of puppet, and the Kerberos principal of puppet as well, and they also failed but with the slightly different error (I believe it was that the host does not exist). So how does one create a certificate for an alias on a host? -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project