> Krzysztof O via FreeIPA-users wrote:
>
> RFC 3280 defines the upper-bound of common name at 64 and is mandatory.
>
> What problem is this causing?
>
> rob
When issuing CSR from the overcloud nodes, the CN field value exceeds the 64
characters limit and the request fails. We expect to be able to issue CSRs for
FQDNs longer than 64 characters.
The domain cannot be shortened, at least the customer subdomain so we need a
solution which will allow us to deploy a RHOSP cluster with TLS everywhere
enabled, when the FQDN used in CN is longer than 64 characters.
"Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I
libvirt-server-cert -f /etc/pki/libvirt/servercert.pem -c IPA -N
CN=[longer_than_64_chars] -K libvirt/host -D host -C systemctl reload libvirtd
-w -k /etc/pki/libvirt/private/serverkey.pem' returned 3: New signing request
\"libvirt-server-cert\" added.",
"Error:
/Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt[libvirt-server-cert]/Certmonger_certificate[libvirt-server-cert]:
Could not evaluate: Could not get certificate: Server at
https://ipa_host/ipa/xml failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Invalid Subject Name
CN=cn_longer_than_64_chars,O=organization_name [ Invalid fields: Common Name
] ).",
(I've hidden real CN and host names)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
