Hey folks,
Really quick question. If a host, say web01.example.com is online, in IPA et all but serving supremecustomer.com and I would need a (ipa-signed, which suffices) cert, would this be the right way?
Assumptions: - All commands executed on web01.example.com - /etc/ssl/ipa & perms are OK.
cert="supremecustomer.com" ipa host-add ${cert} --desc="Dummy Host / ${cert}" --location="$(hostname -f)" ipa host-add-managedby ${cert} --hosts="$(hostname -f)" ipa service-add HTTP/${cert} ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)" ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k /etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert} chown root:nginx /etc/ssl/ipa/${cert}.{key,crt} chmod 0640 /etc/ssl/ipa/${cert}.{key,crt}
Is this still the way to go? Is there a way around "One dummy host per SNI Certificate" in any way?
Cheers, Chris.
On to, 08 elo 2019, Christian Reiss via FreeIPA-users wrote:
Hey folks,
Really quick question. If a host, say web01.example.com is online, in IPA et all but serving supremecustomer.com and I would need a (ipa-signed, which suffices) cert, would this be the right way?
Assumptions: - All commands executed on web01.example.com - /etc/ssl/ipa & perms are OK.
cert="supremecustomer.com" ipa host-add ${cert} --desc="Dummy Host / ${cert}" --location="$(hostname -f)" ipa host-add-managedby ${cert} --hosts="$(hostname -f)" ipa service-add HTTP/${cert} ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)" ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k /etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert} chown root:nginx /etc/ssl/ipa/${cert}.{key,crt} chmod 0640 /etc/ssl/ipa/${cert}.{key,crt}
Is this still the way to go? Is there a way around "One dummy host per SNI Certificate" in any way?
Since FreeIPA 4.7.0 you can add a service without host, by using --skip-host-check.
This would work for RHEL 8.x and Fedora 29+.
For older systems you still need a managing host.
Alexander Bokovoy via FreeIPA-users wrote:
On to, 08 elo 2019, Christian Reiss via FreeIPA-users wrote:
Hey folks,
Really quick question. If a host, say web01.example.com is online, in IPA et all but serving supremecustomer.com and I would need a (ipa-signed, which suffices) cert, would this be the right way?
Assumptions: - All commands executed on web01.example.com - /etc/ssl/ipa & perms are OK.
cert="supremecustomer.com" ipa host-add ${cert} --desc="Dummy Host / ${cert}" --location="$(hostname -f)" ipa host-add-managedby ${cert} --hosts="$(hostname -f)" ipa service-add HTTP/${cert} ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)" ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k /etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert} chown root:nginx /etc/ssl/ipa/${cert}.{key,crt} chmod 0640 /etc/ssl/ipa/${cert}.{key,crt}
Is this still the way to go? Is there a way around "One dummy host per SNI Certificate" in any way?
Since FreeIPA 4.7.0 you can add a service without host, by using --skip-host-check.
This would work for RHEL 8.x and Fedora 29+.
For older systems you still need a managing host.
Right. Something in IPA needs to show you have permission to issue certificates for a given object.
rob
freeipa-users@lists.fedorahosted.org