Hi list! I'm trying to figure out a way to get certmonger to manage vhost certificates using FreeIPA. I'm able to use it to generate and renew certificates for the host itself (`host1.example.com`), but what if I have several websites managed on this same host (`webapp1.example.com` and `webapp2.example.com` are hosted on `host1.example.com`)? Is this possible at all?

On 23/02/23 21:46, Rob Crittenden via FreeIPA-users wrote: >Carlos Mogas da Silva via FreeIPA-users wrote: >>Hi list! >> >>I'm trying to figure out a way to get certmonger to manage vhost >>certificates using FreeIPA. I'm able to use it to generate and renew >>certificates for the host itself (`host1.example.com`), but what if I >>have several websites managed on this same host (`webapp1.example.com` >>and `webapp2.example.com` are hosted on `host1.example.com`)? Is this >>possible at all? > >Yes, see >https://rcritten.wordpress.com/2022/02/03/overview-of-certificate-issuance-in-ipa/ > >rob Thanks Rob! Just to make it clear (at least for me), do I need to add a Principal Alias to the Host/Service with the new domain? As in, HOST/host1.example.com(a)EXAMPLE.COM needs to have an alias to HTTP/webapp1.example.com(a)EXAMPLE.COM?

>>Thanks Rob! >> >>Just to make it clear (at least for me), do I need to add a Principal Alias to the Host/Service with the new domain? >>As in, HOST/host1.example.com(a)EXAMPLE.COM needs to have an alias to HTTP/webapp1.example.com(a)EXAMPLE.COM? > >You should not do that. Instead, create a host object in IPA and a service on it, then >add your host1 to the list of hosts allowed to manage this service. >Remember that a host object webapp1.example.com does not need to be >enrolled, just has to exist in IPA for access control purposes. >host1.example.com can control webapp1.example.com and its services. > >This question is asked often on the list. You can see a follow thread >for a concise description: >https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/6FISBEB4UCE5IGW2XMVVYRR6Q2WOZG46/ > Thanks for the pointer Alexander. I actually did search the list, but searched for "vhost" :P Anyway, I did as in the thread you mentioned, the only difference being that I used ipa-getcert and used the HOST key instead of the HTTP key for the principal name, but certmonger can't seem to find the "webapp1" ? ca-error: Server at https://ipa01.int.example.com/ipa/json failed request, will retry: 4001 (The service principal for subject alt name webapp1.int.example.com in certificate request does not exist). both HTTP/webapp1.int.example.com and HOST/host1.int.example.com exist and the host object itself for both also exist. I feel like I'm missing something obvious...

On 27/02/23 07:29, Alexander Bokovoy via FreeIPA-users wrote: > On la, 25 helmi 2023, Carlos Mogas da Silva via FreeIPA-users wrote: >> Thanks for the pointer Alexander. I actually did search the list, but >> searched for "vhost" :P >> >> Anyway, I did as in the thread you mentioned, the only difference >> being that I used ipa-getcert and used the HOST key instead of the >> HTTP key for the principal name, but certmonger can't seem to find >> the "webapp1" ? >> >> ca-error: Server at https://ipa01.int.example.com/ipa/json failed >> request, will retry: 4001 (The service principal for subject alt name >> webapp1.int.example.com in certificate request does not exist). >> >> both HTTP/webapp1.int.example.com and HOST/host1.int.example.com >> exist and the host object itself for both also exist. >> >> I feel like I'm missing something obvious... > > Please show exact sequence of what you did. > > $ ipa host-add webapp1.int.example.com $ ipa service-add HTTP/webapp1.int.example.com $ ipa service-add-host HTTP/webapp1.int.example.com --host host1.int.example.com $ ipa-getcert request -f webapp1.int.example.com.cert -k webapp1.int.example.com.key -D webapp1.int.example.com -K HOST/host1.int.r3pek.org # ran this on host1 itself.