Re: [Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) http://www.yasar.com.tr/banner/yhbanner.jpg";> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Anwar El fatayri wrote: > *Hello everyone...* > * > * > *I'm trying to request SSL Certificates from my machines (ex : > vadqualif02) for a specific service (ex : Syslog-ng).* > * > * > *I would like to distinguish between my client and server certificates > by changing the DN. The problem is that when I try to do that (see the > command below), I'm still getting the default DN (CN=hostname).* > * > * > * > sudo ipa-getcert request -r -f > /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k > /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N > OU=toto,CN=roro -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.l...@office.lyra > > Any ideas ? I'm surprised this isn't just being rejected instead. IPA requires that the CN of the CSR match the host/service being requested for. It will also drop anything other than CN and replace it with the subject of the CA (usually O=EXAMPLE.COM). There is no way around this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Hello everyone... I'm trying to request SSL Certificates from my machines (ex : vadqualif02) for a specific service (ex : Syslog-ng). I would like to distinguish between my client and server certificates by changing the DN. The problem is that when I try to do that (see the command below), I'm still getting the default DN (CN=hostname). sudo ipa-getcert request -r -f /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N OU=toto,CN=roro -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.l...@office.lyra Any ideas ? Thx in advance. El Fatayri Anwar -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project