Krzysztof O via FreeIPA-users wrote:
RFC 3280 defines the upper-bound of common name at 64 and is mandatory.
What problem is this causing?
When issuing CSR from the overcloud nodes, the CN field value exceeds the 64 characters
limit and the request fails. We expect to be able to issue CSRs for FQDNs longer than 64
The domain cannot be shortened, at least the customer subdomain so we need a solution
which will allow us to deploy a RHOSP cluster with TLS everywhere enabled, when the FQDN
used in CN is longer than 64 characters.
"Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I
libvirt-server-cert -f /etc/pki/libvirt/servercert.pem -c IPA -N CN=[longer_than_64_chars]
-K libvirt/host -D host -C systemctl reload libvirtd -w -k
/etc/pki/libvirt/private/serverkey.pem' returned 3: New signing request
Could not evaluate: Could not get certificate: Server at https://ipa_host/ipa/xml
request, will retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Invalid Subject Name CN=cn_longer_than_64_chars,O=organization_name [ Invalid
fields: Common Name ] ).",
(I've hidden real CN and host names)