Per Qvindesland via FreeIPA-users wrote: > Hi > > I am using the IPA server as the CA for our Apache SSL's, but I am > wondering if it's possible to have a second SSL that's not the same as > the hostname, meaning I have already sub1.mydomain.com but I would like > to add also sub2.mydomain.com for another site, is this possible? > > I have tried adding the hostname so ipa host-add sub2.mydomain.com > then ipa service-add HTTP/sub2.mydomain.com, but when I do: > ipa-getcert request -K HTTP/sub2.mydomain.com -k > /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr > -N sub2.mydomain.com then ipa-getcert list says it fails with: > status: CA_REJECTED > ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our > request, giving up: 2100 (Insufficient access: Insufficient 'write' > privilege to the 'userCertificate' attribute of entry > 'krbprincipalname=HTTP/sub2.mydomain....@mydomain.com,cn=services,cn=accounts,dc=mydomain,dc=com'.) > > How can I resolve this?
certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the machine to authentication. By default it can only request certificates for its own hostname. You can use ipa service-add-host to add the host to the new service name. Additionally, do you need a completely separate certificate or do you want to add a SAN to the existing one? To do that you'd run: ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request> rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure