Hi
I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible?
I have tried adding the hostname so ipa host-add sub2.mydomain.com then ipa service-add HTTP/sub2.mydomain.com, but when I do: ipa-getcert request -K HTTP/sub2.mydomain.com -k /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr -N sub2.mydomain.com then ipa-getcert list says it fails with: status: CA_REJECTED ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/sub2.mydomain.com@MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)
How can I resolve this?
Regards Per
Per Qvindesland via FreeIPA-users wrote:
Hi
I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible?
I have tried adding the hostname so ipa host-add sub2.mydomain.com then ipa service-add HTTP/sub2.mydomain.com, but when I do: ipa-getcert request -K HTTP/sub2.mydomain.com -k /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr -N sub2.mydomain.com then ipa-getcert list says it fails with: status: CA_REJECTED ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/sub2.mydomain.com@MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)
How can I resolve this?
certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the machine to authentication. By default it can only request certificates for its own hostname.
You can use ipa service-add-host to add the host to the new service name.
Additionally, do you need a completely separate certificate or do you want to add a SAN to the existing one? To do that you'd run:
ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request>
rob
Hi Rob
The SAN would also work really well since we are only using subdomains and hardly ever a new domain.
I tried the following: ipa-getcert resubmit -D HTTP/sub2.example.com -i 20210910082436
But when I check ipa-getcert lis it says: ca-error: Server at https://ipaserver.example.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'sub1.example.com' does not match name or aliases of principal 'HTTP/sub2.example.com@EXAMPLE.COM').
I have added ipa service-add HTTP/sub2.example.com before running the command and a A record is in the DNS for sub2.example.com
I am pretty sure that i am not understanding something or missing a step but what am I missing?
Regards Per
On 9 September 2021 at 19:49, Rob Crittenden rcritten@redhat.com wrote:
Per Qvindesland via FreeIPA-users wrote:
Hi
I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible?
I have tried adding the hostname so ipa host-add sub2.mydomain.com then ipa service-add HTTP/sub2.mydomain.com, but when I do: ipa-getcert request -K HTTP/sub2.mydomain.com -k /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr -N sub2.mydomain.com then ipa-getcert list says it fails with: status: CA_REJECTED ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/sub2.mydomain.com@MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)
How can I resolve this?
certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the machine to authentication. By default it can only request certificates for its own hostname.
You can use ipa service-add-host to add the host to the new service name.
Additionally, do you need a completely separate certificate or do you want to add a SAN to the existing one? To do that you'd run:
ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request>
rob
Per Qvindesland wrote:
Hi Rob
The SAN would also work really well since we are only using subdomains and hardly ever a new domain.
I tried the following: ipa-getcert resubmit -D HTTP/sub2.example.com -i 20210910082436
But when I check ipa-getcert lis it says: ca-error: Server at https://ipaserver.example.com/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'sub1.example.com' does not match name or aliases of principal 'HTTP/sub2.example.com@EXAMPLE.COM').
I have added ipa service-add HTTP/sub2.example.com before running the command and a A record is in the DNS for sub2.example.com
I am pretty sure that i am not understanding something or missing a step but what am I missing?
Sorry, that's on me.
This will work:
Add the new host and set managed by as a lark. I don't think it's required but meh. I'm using --force because I didn't bother to setup DNS for this fake host.
ipa host-add newhost.example.test --force ipa host-add-managedby newhost.example.test --host ipa.example.test
Add a new Apache service for the new host and let the main host manage it: ipa service-add HTTP/newhost.example.test --force ipa service-add-host HTTP/newhost.example.test --host ipa.example.test
Resubmit the request for the SAN: getcert resubmit -D newhost.example.test -f /var/lib/ipa/certs/httpd.crt -w -v
View the new SAN: openssl x509 -text -noout -in /var/lib/ipa/certs/httpd.crt ... X509v3 Subject Alternative Name: DNS:newhost.example.test, othername:<unsupported>, othername:<unsupported>, DNS:ipa.example.test ...
Both the new and original hosts are listed as DNS SAN.
rob
Regards Per
On 9 September 2021 at 19:49, Rob Crittenden rcritten@redhat.com wrote:
Per Qvindesland via FreeIPA-users wrote:
Hi
I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible?
I have tried adding the hostname so ipa host-add sub2.mydomain.com then ipa service-add HTTP/sub2.mydomain.com, but when I do: ipa-getcert request -K HTTP/sub2.mydomain.com -k /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr -N sub2.mydomain.com then ipa-getcert list says it fails with: status: CA_REJECTED ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/sub2.mydomain.com@MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)
How can I resolve this?
certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the machine to authentication. By default it can only request certificates for its own hostname.
You can use ipa service-add-host to add the host to the new service name.
Additionally, do you need a completely separate certificate or do you want to add a SAN to the existing one? To do that you'd run:
ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request>
rob
freeipa-users@lists.fedorahosted.org
-
Per Qvindesland -
Rob Crittenden