Hello Everyone,
I have an AlmaLinux 9.0 client enrolled into a 4.9.8 ipa domain running on a Rocky Linux 8.6 server. I'm running the following command on the client to request a cert:
ipa-getcert request -I cockpit -k /etc/cockpit/ws-certs.d/0-cockpit.key -f /etc/cockpit/ws-certs.d/0-cockpit.crt -g 2048 -K HTTP/$(hostname) -D hostname.theinside.rnr -m 640 -M 640 -o root:cockpit-ws -O root:cockpit-ws
The cert gets issued without error. But, I don't see the "dns" line in the ouput:
status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/cockpit/ws- certs.d/0-cockpit.key' certificate: type=FILE,location='/etc/cockpit/ws-certs.d/0- cockpit.crt' CA: IPA issuer: CN=Certificate Authority,O=THEINSIDE.RNR subject: CN=hostname.theinside.rnr,O=THEINSIDE.RNR issued: 2022-06-20 21:31:39 EDT expires: 2024-06-20 21:31:39 EDT principal name: HTTP/hostname.theinside.rnr@THEINSIDE.RNR key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
The result is Firefox complains about the cert when I try to visit the cockpit web UI.
I've run it now a few times with the same result. Which one of the myriad of logs should I check to maybe understand why this is happening?
On Mon, 2022-06-20 at 22:06 -0400, Ranbir via FreeIPA-users wrote:
[snip]
Sorry, Rob! I clicked on the wrong email in another message when I composed my message. I didn't mean to also address you.
On Mon, 2022-06-20 at 22:06 -0400, Ranbir via FreeIPA-users wrote:
I've run it now a few times with the same result. Which one of the myriad of logs should I check to maybe understand why this is happening?
I fixed it.
I used to have a second internal DNS domain that I used with the same ipa domain. The server I was requesting the cert on has the same short name, but is now in the first dns domain. The old server with the same short name and secondary DNS domain was still hanging around in the list of hosts. I deleted it, requested the cert again using the exact same command and now I can see the "dns" line in the cert's details. Firefox stopped complaining, too.
ok bye.
freeipa-users@lists.fedorahosted.org