Tikkanen, Tuomo (Nokia - FI/Espoo)
2016-04-22 21:18:30 UTC
Hello all,
I tried to renew the server HTTP certificates for two freeipa servers so
that certs would have Subject Alternative Name (SAN) fields for all the
addresses they have (two DNS names and IPs). I won't go to the details
why this is required, but I started with ipa2 (slave) and immediately
got problems. Some I managed to solve, but there is now problem to which
I have not found any solution.
How to remove from certmonger a renewal request that has a bad
certificate request in it?
What I did was:
# ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain"
-D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A
"10.22.199.253" -A "10.10.1.253"
This led to a problem that ipa2.lab-management-domain server was not as
host in the freeipa. Added the needed info:
# ipa host-add ipa2.lab-management-domain
# ipa service-add HTTP/ipa2.lab-management-domain --force
# ipa service-add-host HTTP/lab-management-domain --host
ipa2.lab-management-domain
Then I ran the above resubmit command again.
This time the there was an error related to the -D "10.22.199.253" and
-D "10.10.1.253" fields. And because it is not possible to use ipa
host-add "10.22.199.253" I decided just to drop the -D fields with IP
addresses, but left the -A options. And ran the resubmit command again.
Now the error in ipa-getcert list command changed to tell that IP
Address is forbidden:
# ipa-getcert list -i "20160212110456"
.......
Request ID '20160212110456':
status: MONITORING
ca-error: Server at https://ipa2.lab-public-domain/ipa/xml
denied our request, giving up: 2100 (RPC failed at server. Insufficient
access: Subject alt name type IP Address is forbidden).
stuck: no
.......
That is the state where I now have stuck. I have tried the ipa-getcert
resubmit command without any -D or -A fields but the error stays there.
I took the "csr=" value from the file
/var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request
file. Using openssl I can see that it still contains SAN attribute with
IP addresses and two odd fields that probably are there because of those
-D "IP" fields I had at the beginning:
# openssl req -in /tmp/request -text -noout
.........
X509v3 Subject Alternative Name:
DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain,
othername:<unsupported>, othername:<unsupported>, IP
Address:10.22.199.253, IP Address:10.10.1.253
.........
Repetitio est mater studiorum:
How I can clean this defective state of certmonger?
Second question if/when the above urgent problem is solved:
Is there any way to get IP address to SAN field for the IPA Server-Certs?
The system is Centos7(.2) with and freeipa is installed from the repository:
# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)
# yum list installed | grep ipa
ipa-admintools.x86_64 4.2.0-15.el7_2.6 @updates
ipa-client.x86_64 4.2.0-15.el7_2.6 @updates
ipa-python.x86_64 4.2.0-15.el7_2.6 @updates
ipa-server.x86_64 4.2.0-15.el7_2.6 @updates
ipa-server-dns.x86_64 4.2.0-15.el7_2.6 @updates
libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates
python-iniparse.noarch 0.4-9.el7 @anaconda
python-libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates
sssd-ipa.x86_64 1.13.0-40.el7_2.1 @updates
BR,
I tried to renew the server HTTP certificates for two freeipa servers so
that certs would have Subject Alternative Name (SAN) fields for all the
addresses they have (two DNS names and IPs). I won't go to the details
why this is required, but I started with ipa2 (slave) and immediately
got problems. Some I managed to solve, but there is now problem to which
I have not found any solution.
How to remove from certmonger a renewal request that has a bad
certificate request in it?
What I did was:
# ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain"
-D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A
"10.22.199.253" -A "10.10.1.253"
This led to a problem that ipa2.lab-management-domain server was not as
host in the freeipa. Added the needed info:
# ipa host-add ipa2.lab-management-domain
# ipa service-add HTTP/ipa2.lab-management-domain --force
# ipa service-add-host HTTP/lab-management-domain --host
ipa2.lab-management-domain
Then I ran the above resubmit command again.
This time the there was an error related to the -D "10.22.199.253" and
-D "10.10.1.253" fields. And because it is not possible to use ipa
host-add "10.22.199.253" I decided just to drop the -D fields with IP
addresses, but left the -A options. And ran the resubmit command again.
Now the error in ipa-getcert list command changed to tell that IP
Address is forbidden:
# ipa-getcert list -i "20160212110456"
.......
Request ID '20160212110456':
status: MONITORING
ca-error: Server at https://ipa2.lab-public-domain/ipa/xml
denied our request, giving up: 2100 (RPC failed at server. Insufficient
access: Subject alt name type IP Address is forbidden).
stuck: no
.......
That is the state where I now have stuck. I have tried the ipa-getcert
resubmit command without any -D or -A fields but the error stays there.
I took the "csr=" value from the file
/var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request
file. Using openssl I can see that it still contains SAN attribute with
IP addresses and two odd fields that probably are there because of those
-D "IP" fields I had at the beginning:
# openssl req -in /tmp/request -text -noout
.........
X509v3 Subject Alternative Name:
DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain,
othername:<unsupported>, othername:<unsupported>, IP
Address:10.22.199.253, IP Address:10.10.1.253
.........
Repetitio est mater studiorum:
How I can clean this defective state of certmonger?
Second question if/when the above urgent problem is solved:
Is there any way to get IP address to SAN field for the IPA Server-Certs?
The system is Centos7(.2) with and freeipa is installed from the repository:
# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)
# yum list installed | grep ipa
ipa-admintools.x86_64 4.2.0-15.el7_2.6 @updates
ipa-client.x86_64 4.2.0-15.el7_2.6 @updates
ipa-python.x86_64 4.2.0-15.el7_2.6 @updates
ipa-server.x86_64 4.2.0-15.el7_2.6 @updates
ipa-server-dns.x86_64 4.2.0-15.el7_2.6 @updates
libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates
python-iniparse.noarch 0.4-9.el7 @anaconda
python-libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates
sssd-ipa.x86_64 1.13.0-40.el7_2.1 @updates
BR,
--
Tuomo Tikkanen (a) nokia com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tuomo Tikkanen (a) nokia com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project