Hello, I have issued a certificate for an AWS ELB. The certificate is attached to a psedo-host and service named lb.example.com. There is a certificate and the certificate ID is 21. The certificate was created on the FreeIPA server.
(as indicated here https://www.redhat.com/archives/freeipa-users/2015-September/msg00127.html)
I also created 2 more certificates for the back-end servers, installed them and the work just fine when I connect directly to the back-end server. However, when I connect thought the LB browsers are complaining because the back-end certificate does not contain the DNS name of the LB. So, I revoked the previous certificates and tried to re-create them via:
sudo ipa-getcert request -f ~/certificates/certs/http_certificate.pem -k ~/certificates/keys/host_key.key -K HTTP/$(hostname -f) -N CN=$(hostname),O=EXAMPLE.COM -g 2048 -D lb.example.com -D host01.example.com -D aws-host01-example.com -D webserver01.example.com (The command was executed on the back-end servers in order to avoid transferring the files)
The request fails with this error:
ca-error: Server at https://ipa01.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'lb.example.com'.).
Do I get this error because there is a certificate for this service already? If so, how can I bypass this?
If it's not possible, I will recreate the LB certificate and add all DNS names in that, but it's less than ideal since if I add a new server in the future, I will need to re-issue the certificate.
freeipa-users@lists.fedorahosted.org