> Krzysztof O via FreeIPA-users wrote: > > RFC 3280 defines the upper-bound of common name at 64 and is mandatory. > > What problem is this causing? > > rob
When issuing CSR from the overcloud nodes, the CN field value exceeds the 64 characters limit and the request fails. We expect to be able to issue CSRs for FQDNs longer than 64 characters. The domain cannot be shortened, at least the customer subdomain so we need a solution which will allow us to deploy a RHOSP cluster with TLS everywhere enabled, when the FQDN used in CN is longer than 64 characters. "Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I libvirt-server-cert -f /etc/pki/libvirt/servercert.pem -c IPA -N CN=[longer_than_64_chars] -K libvirt/host -D host -C systemctl reload libvirtd -w -k /etc/pki/libvirt/private/serverkey.pem' returned 3: New signing request \"libvirt-server-cert\" added.", "Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt[libvirt-server-cert]/Certmonger_certificate[libvirt-server-cert]: Could not evaluate: Could not get certificate: Server at https://ipa_host/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Invalid Subject Name CN=cn_longer_than_64_chars,O=organization_name [ Invalid fields: Common Name ] ).", (I've hidden real CN and host names) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org