I'm trying to use certmonger to get an SSL certificate on a web host
which has an alias. I added the alias as a principal alias to the
host record in FreeIPA, and I added the service as well with the
actual hostname and the alias. However every time certmonger contacts
the CA, the request is rejected with "The service principal for
subject alt name ... does not exist" (or earlier, another similar
error which has now been lost to the scrollback).

hostname: coathook.astro.princeton.edu
Principal alias: host/***@ASTRO.PRINCETON.EDU
Principal alias: host/***@ASTRO.PRINCETON.EDU

Principal alias: HTTP/***@ASTRO.PRINCETON.EDU
Principal alias: HTTP/***@ASTRO.PRINCETON.EDU
Service: HTTP
Host Name: coathook.astro.princeton.edu

ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f
/etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N
CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K
HTTP/***@ASTRO.PRINCETON.EDU -C
'/usr/sbin/apachectl graceful'

When I check with ipa-getcert list, I find:
ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml
failed request, will retry: 4001 (RPC failed at server. The service
principal for subject alt name puppet.astro.princeton.edu in
certificate request does not exist).

Other attempts used the CN of puppet, and the Kerberos principal of
puppet as well, and they also failed but with the slightly different
error (I believe it was that the host does not exist).

So how does one create a certificate for an alias on a host?
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'