Carlos Mogas da Silva via FreeIPA-users wrote: > > On 27/02/23 07:29, Alexander Bokovoy via FreeIPA-users wrote: >> On la, 25 helmi 2023, Carlos Mogas da Silva via FreeIPA-users wrote: >>> Thanks for the pointer Alexander. I actually did search the list, but >>> searched for "vhost" :P >>> >>> Anyway, I did as in the thread you mentioned, the only difference >>> being that I used ipa-getcert and used the HOST key instead of the >>> HTTP key for the principal name, but certmonger can't seem to find >>> the "webapp1" ? >>> >>> ca-error: Server at https://ipa01.int.example.com/ipa/json failed >>> request, will retry: 4001 (The service principal for subject alt name >>> webapp1.int.example.com in certificate request does not exist). >>> >>> both HTTP/webapp1.int.example.com and HOST/host1.int.example.com >>> exist and the host object itself for both also exist. >>> >>> I feel like I'm missing something obvious... >> >> Please show exact sequence of what you did. >> >> > > $ ipa host-add webapp1.int.example.com > $ ipa service-add HTTP/webapp1.int.example.com > $ ipa service-add-host HTTP/webapp1.int.example.com --host > host1.int.example.com > > $ ipa-getcert request -f webapp1.int.example.com.cert -k > webapp1.int.example.com.key -D webapp1.int.example.com -K > HOST/host1.int.r3pek.org # ran this on host1 itself.
There are two problems: 1. You don't include the subject (-N) so certmonger will default to the current host 2. You are using the wrong principal. You should use the HTTP service you created. In my reproduction I ended up with: # ipa-getcert request -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -D test.example.test -K HTTP/test.example.test -N "CN=test.example.test" -v -w rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
