Hello,
I have issued a certificate for an AWS ELB.
The certificate is attached to a psedo-host and service named
lb.example.com.
There is a certificate and the certificate ID is 21.
The certificate was created on the FreeIPA server.
(as indicated here
https://www.redhat.com/archives/freeipa-users/2015-September/msg00127.html)
I also created 2 more certificates for the back-end servers, installed them and the work
just fine when I connect directly to the back-end server.
However, when I connect thought the LB browsers are complaining because the back-end
certificate does not contain the DNS name of the LB.
So, I revoked the previous certificates and tried to re-create them via:
sudo ipa-getcert request -f ~/certificates/certs/http_certificate.pem -k
~/certificates/keys/host_key.key -K HTTP/$(hostname -f) -N
CN=$(hostname),O=EXAMPLE.COM -g
2048 -D
lb.example.com -D
host01.example.com -D
aws-host01-example.com -D
webserver01.example.com
(The command was executed on the back-end servers in order to avoid transferring the
files)
The request fails with this error:
ca-error: Server at
https://ipa01.example.com/ipa/xml denied our request, giving up: 2100
(RPC failed at server. Insufficient access: Insufficient privilege to create a
certificate with subject alt name 'lb.example.com'.).
Do I get this error because there is a certificate for this service already? If so, how
can I bypass this?
If it's not possible, I will recreate the LB certificate and add all DNS names in
that, but it's less than ideal since if I add a new server in the future, I will need
to re-issue the certificate.