On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
Bret Wortman via FreeIPA-users wrote:
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr
IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
certificate request does not exist
What we've done before is set up each system with its FQDN and just its
hostname (and some have other aliases as well). Is that what's causing a
problem?
I've looked for documentation on the ipa cert-request command but can't
seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't
request a SAN for a host you don't own). In this case it is looking for
HTTP/<shortname> which I presume doesn't exist.
You can try forcing the creation with:
$ ipa service-add HTTP/<shortname> --force
Alternatively, you can add alias to the service principal.
ipa service-add-principal HTTP/fullname HTTP/shortname
'ipa cert-request' allows to match hostnames of service principal
aliases (the part after first /) since 4.5.0.
This doesn't work in my quickie testing.
$ hostname
ipa.example.test
$ ipa service-show bar/ipa.example.test
Principal name: bar/ipa.example.t...@example.test
Principal alias: bar/ipa.example.t...@example.test, [Principal alias]:
bar/i...@example.test
Keytab: False
Managed by: ipa.example.test
< create CSR with DNS SAN of ipa >
...
Subject: CN = ipa.example.test
...
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:ipa
$ ipa cert-request --principal bar/`hostname` /tmp/csr --add
ipa: ERROR: The service principal for subject alt name ipa in
certificate request does not exist
Works for me via ipa-getcert on 4.7 which internally does 'ipa
cert-request':
...
ipa: INFO: [xmlserver] host/nyx.xs.ipa.c...@xs.ipa.cool: cert_request(....)
...
# ipa service-show moobar/nyx.xs.ipa.cool
Principal name: moobar/nyx.xs.ipa.c...@xs.ipa.cool
Principal alias: moobar/nyx.xs.ipa.c...@xs.ipa.cool, moobar/n...@xs.ipa.cool
Keytab: True
Managed by: nyx.xs.ipa.cool
Users allowed to retrieve keytab: admin
Users allowed to create keytab: admin
# ipa-getcert request -k /etc/pki/tls/private/moobar.key -f
/etc/pki/tls/certs/moobar.crt -D nyx -D nyx.xs.ipa.cool -K
moobar/nyx.xs.ipa.cool
# ipa-getcert list -f /etc/pki/tls/certs/moobar.crt
Number of certificates and requests being tracked: 17.
Request ID '20190412080750':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/moobar.key'
certificate: type=FILE,location='/etc/pki/tls/certs/moobar.crt'
CA: IPA
issuer: CN=Certificate Authority,O=XS.IPA.COOL
subject: CN=nyx.xs.ipa.cool,O=XS.IPA.COOL
expires: 2021-04-12 10:07:53 CEST
dns: nyx,nyx.xs.ipa.cool
principal name: moobar/nyx.xs.ipa.c...@xs.ipa.cool
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
