Amit via FreeIPA-devel wrote:
Hello,
_This command is executed at IPA Client_:
# date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K TEST/$(hostname) -E
<>@<> <mailto:fabian.seelbach@ble.de> -f opt/certs/test3.crt -k
/opt/certs/test3.key -X BLE-IDM-SUB1
Wed Feb 14 07:54:49 CET 2018
Certificate at same location is already used by request with nickname "201802070
95750".
Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used
by request with nickname "20180207095750".
# ipa-getcert stop-tracking --id "20180207095750"
Request "20180207095750" removed.
# date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K TEST/$(hostname) -E
<>@<> <mailto:fabian.seelbach@ble.de> -f /opt/certs/test3.crt -k
/opt/certs/test3.key -X BLE-IDM-SUB1
Wed Feb 14 07:55:19 CET 2018
New signing request "20180214065519" added.
# getcert list -i "20180214065519"
Number of certificates and requests being tracked: 1.
Request ID '20180214065519':
status: CA_REJECTED
ca-error: Server at https://<>/ipa/xml
<
https://dpgrridm0577.idm.ble.de/ipa/xml> denied our request, giving up: 3009 (RPC
failed at server. invalid 'csr': subject alt name type RFC822Name is forbidden
for non-user principals).
stuck: yes
key pair storage: type=FILE,location='/opt/certs/test3.key'
certificate: type=FILE,location='/opt/certs/test3.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: no
I'm not sure what the question is.
If the question is "why does my second getcert request fail" then it's
because you use resubmit not request for certs already being tracked.
If the quest is "why is my request rejected" I think that is pretty
clear already.
rob