Hello, I have a host with 2 names:
* servername.example.com * alias.example.com
But the command: ======================================= ipa-getcert request \ -K HTTP/servername.example.com \ -D alias.example.com \ -f /etc/pki/tls/certs/httpd.crt \ -k /etc/pki/tls/private/httpd.key
======================================= says that I cannot do it: =======================================
ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'alias.example.com'.).
======================================= The alias.example.com is managed from the host:
======================================= ipa host-show alias.example.com Host name: alias.example.com Principal name: host/alias.example.com@EXAMPLE.COM Principal alias: host/alias.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: alias.example.com, servername.example.com
Any idea why???
On 12/21/18 1:26 PM, Peter Tselios via FreeIPA-users wrote:
Hello, I have a host with 2 names:
- servername.example.com
- alias.example.com
But the command:
ipa-getcert request \ -K HTTP/servername.example.com \ -D alias.example.com \ -f /etc/pki/tls/certs/httpd.crt \ -k /etc/pki/tls/private/httpd.key
======================================= says that I cannot do it: =======================================
ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'alias.example.com'.).
======================================= The alias.example.com is managed from the host:
======================================= ipa host-show alias.example.com Host name: alias.example.com Principal name: host/alias.example.com@EXAMPLE.COM Principal alias: host/alias.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: alias.example.com, servername.example.com
Any idea why???
Hi, the code also checks if the principal is allowed to add the certificate in the entry corresponding to the service HTTP/alias.example.com. In order to do that, the service needs to be managed by the host: # ipa service-mod --addattr managedby=fqdn=servername.example.com,cn=computers,cn=accounts,dc=example,dc=com HTTP/alias.example.com
Note that the code checks the access rights but does not actually update the service entry HTTP/alias.example.com, I don't know if it is expected or not...
flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 12/21/18 1:26 PM, Peter Tselios via FreeIPA-users wrote:
Hello, I have a host with 2 names:
- servername.example.com
- alias.example.com
But the command:
ipa-getcert request \ -K HTTP/servername.example.com \ -D alias.example.com \ -f /etc/pki/tls/certs/httpd.crt \ -k /etc/pki/tls/private/httpd.key
======================================= says that I cannot do it: =======================================
ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'alias.example.com'.).
======================================= The alias.example.com is managed from the host:
======================================= ipa host-show alias.example.com Host name: alias.example.com Principal name: host/alias.example.com@EXAMPLE.COM Principal alias: host/alias.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: alias.example.com, servername.example.com
Any idea why??? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
After digging a little bit, I also found another solution. If alias is used only for this specific server (not for load-balancing for instance), you can also do the following instead of defining a dummy host alias / dummy service HTTP/alias: use principal aliases.
# ipa host-add-principal servername.example.com host/alias.example.com@EXAMPLE.COM # ipa service-add-principal HTTP/servername.example.com@EXAMPLE.COM HTTP/alias.example.com@EXAMPLE.COM
# kinit -kt /etc/krb5.keytab # ipa-getcert ...
flo
freeipa-users@lists.fedorahosted.org