Bret Wortman via FreeIPA-users wrote: > Thanks, Rob. I'm a lot closer now. > > What I'm getting now looks like: > > # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add > --principal=HTTP/$HOST $DB/$HOST.csr > IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in > certificate request does not exist > > What we've done before is set up each system with its FQDN and just its > hostname (and some have other aliases as well). Is that what's causing a > problem? > > I've looked for documentation on the ipa cert-request command but can't > seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't request a SAN for a host you don't own). In this case it is looking for HTTP/<shortname> which I presume doesn't exist. You can try forcing the creation with: $ ipa service-add HTTP/<shortname> --force rob > > > photo > *Bret Wortman* > Founder, Damascus Products, LLC > > 855-644-2783 <tel:855-644-2783> | b...@wrapbuddies.co > <https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn> > > http://wrapbuddies.co/ > <https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn> > > 70 Main St. Suite 23 Warrenton, VA 20186 > > <https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/2?redirect=http%3A%2F%2Ffacebook.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn> > > <https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn> > > <https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn> > > <https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/5?redirect=http%3A%2F%2Finstagram.com%2Fwrapbuddies&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn> > > > On Apr 11 2019, at 11:31 am, Rob Crittenden <rcrit...@redhat.com> wrote: > > Bret Wortman via FreeIPA-users wrote: > > I know I can paste a CSR from one of our servers into the GUI and > generate a new cert, but how can I do this from a command line? > > I've been working with this: > > # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr > > > Add the --add option to create the principal if it doesn't already exist > (assuming your kerberos principal has rights to add one). > > You can make this all automatic with something like: > > # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add > --principal=HTTP/$HOST $DB/$HOST.csr > > No kinit needed. > > But that's giving me an error that the principal doesn't exist. Then > (admittedly, I picked up this command from a discussion I found): > > # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem > > How do I get the serial number? > > Basically, I'm trying to wrap and automate the process of > granting a new > cert to a server. > > > The serial number will be in the output from the cert-request command, > twice actually: one decimal, one hex. > > You can do it hackily via something like: > > SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request > --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: > " | cut -d: -f2) > > Though that won't catch errors. You can also do a service-show > HTTP/$HOST to get the serial number. > > rob > > Sent from Mailspring > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org