Discussion:
[Freeipa-users] IP SAN in certificates
Alessandro De Maria
2016-10-07 10:34:30 UTC
Permalink
Hello,

I am running the following command to create a certificate for etcd

ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt",
"-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D",
"dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz"

ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our request,
giving up: 2100 (RPC failed at server. Insufficient access: Subject alt
name type IP Address is forbidden).
I believe FreeIPA does not currently support IPs as the SAN of a
certificate.

Is this still the case? is there a workaroud?
Regards
Alessandro
--
Alessandro De Maria
***@gmail.com
Rob Crittenden
2016-10-07 13:30:35 UTC
Permalink
Post by Alessandro De Maria
Hello,
I am running the following command to create a certificate for etcd
ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt",
"-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D",
"dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz"
ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient
access: Subject alt name type IP Address is forbidden).
I believe FreeIPA does not currently support IPs as the SAN of a
certificate.
Is this still the case? is there a workaroud?
Still the case (and not likely to change AFAIK) and the only workaround
is in code.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Fraser Tweedale
2016-10-09 23:59:26 UTC
Permalink
Post by Alessandro De Maria
Hello,
I am running the following command to create a certificate for etcd
ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt",
"-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D",
"dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz"
ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient
access: Subject alt name type IP Address is forbidden).
I believe FreeIPA does not currently support IPs as the SAN of a
certificate.
Is this still the case? is there a workaroud?
Still the case (and not likely to change AFAIK) and the only workaround is
in code.
There have occasionally been discussions about this. It might be
possible in the future, if we implement an extensible cert request
authorisation mechanism. Won't happen anytime soon, though.
rob
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...