Alexander Bokovoy via FreeIPA-users wrote:
On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
> Bret Wortman via FreeIPA-users wrote:
>> Thanks, Rob. I'm a lot closer now.
>>
>> What I'm getting now looks like:
>>
>> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
>> --principal=HTTP/$HOST $DB/$HOST.csr
>> IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
>> certificate request does not exist
>>
>> What we've done before is set up each system with its FQDN and just its
>> hostname (and some have other aliases as well). Is that what's causing a
>> problem?
>>
>> I've looked for documentation on the ipa cert-request command but can't
>> seem to find anything.
>
> IPA requires that every hostname in a cert exist in IPA (so you don't
> request a SAN for a host you don't own). In this case it is looking for
> HTTP/<shortname> which I presume doesn't exist.
>
> You can try forcing the creation with:
>
> $ ipa service-add HTTP/<shortname> --force
Alternatively, you can add alias to the service principal.
ipa service-add-principal HTTP/fullname HTTP/shortname
'ipa cert-request' allows to match hostnames of service principal
aliases (the part after first /) since 4.5.0.
This doesn't work in my quickie testing.
$ hostname
ipa.example.test
$ ipa service-show bar/ipa.example.test
Principal name: bar/ipa.example.test(a)EXAMPLE.TEST
Principal alias: bar/ipa.example.test(a)EXAMPLE.TEST, [Principal alias]:
bar/ipa(a)EXAMPLE.TEST
Keytab: False
Managed by: ipa.example.test
< create CSR with DNS SAN of ipa >
...
Subject: CN = ipa.example.test
...
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:ipa
$ ipa cert-request --principal bar/`hostname` /tmp/csr --add
ipa: ERROR: The service principal for subject alt name ipa in
certificate request does not exist
rob
>
> rob
>
>>
>>
>> photo
>> *Bret Wortman*
>> Founder, Damascus Products, LLC
>>
>> 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
>>
<
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@...
>>
>>
>>
http://wrapbuddies.co/
>>
<
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@...
>>
>>
>> 70 Main St. Suite 23 Warrenton, VA 20186
>>
>>
<
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@...
>>
>>
<https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn>
>>
<
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@...
>>
<
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@...
>>
>>
>> On Apr 11 2019, at 11:31 am, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>
>> Bret Wortman via FreeIPA-users wrote:
>>
>> I know I can paste a CSR from one of our servers into the GUI
>> and
>> generate a new cert, but how can I do this from a command line?
>>
>> I've been working with this:
>>
>> # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
>>
>>
>> Add the --add option to create the principal if it doesn't
>> already exist
>> (assuming your kerberos principal has rights to add one).
>>
>> You can make this all automatic with something like:
>>
>> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
>> --principal=HTTP/$HOST $DB/$HOST.csr
>>
>> No kinit needed.
>>
>> But that's giving me an error that the principal doesn't
>> exist. Then
>> (admittedly, I picked up this command from a discussion I
>> found):
>>
>> # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
>>
>> How do I get the serial number?
>>
>> Basically, I'm trying to wrap and automate the process of
>> granting a new
>> cert to a server.
>>
>>
>> The serial number will be in the output from the cert-request
>> command,
>> twice actually: one decimal, one hex.
>>
>> You can do it hackily via something like:
>>
>> SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
>> --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial
>> number:
>> " | cut -d: -f2)
>>
>> Though that won't catch errors. You can also do a service-show
>> HTTP/$HOST to get the serial number.
>>
>> rob
>>
>> Sent from Mailspring
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>