Environment
Records are added in IPA DNS for both names.
[root@ipaserver nssdb]# nslookup ipa1.sub.ipaexample.com Server: 127.0.0.1 Address: 127.0.0.1#53
Name: ipa1.sub.ipaexample.com Address: 10.10.100.2
[root@ipaserver nssdb]# nslookup ipa2.sub.ipaexample.com Server: 127.0.0.1 Address: 127.0.0.1#53
Name: ipa2.sub.ipaexample.com Address: 10.10.100.3
[root@ipaserver nssdb]# nslookup 10.10.100.3 3.100.10.10.in-addr.arpa name = ipa2.sub.ipaexample.com.
[root@ipaserver nssdb]# nslookup 10.10.100.2 2.100.10.10.in-addr.arpa name = ipa1.sub.ipaexample.com. 2. —————————————————————————————————
1] With multiple DNS and IP and CN=pa1.sub.ipaexample.com ( Throws error for (10.10.100.3))
—————— # certutil -d . -R -a -o ipa2.csr -s CN=ipa1.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.2,ip:10.10.100.3
# openssl req -text < ipa2.csr Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.2, IP Address:10.10.100.3 # ipa cert-request ipa2.csr --principal host/ipa1.sub.ipaexample.com --certificate-out ipa2.pem ipa: ERROR: invalid 'csr': IP address in subjectAltName (10.10.100.3) unreachable from DNS names
———————
2] With multiple DNS and IP and CN=ipa2.sub.ipaexample.com ( Throws error for ((10.10.100.2))
———————— # certutil -d . -R -a -o ipa3.csr -s CN=ipa2.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.2,ip:10.10.100.3
# openssl req -text < ipa3.csr Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.2, IP Address:10.10.100.3 # ipa cert-request ipa3.csr --principal host/ipa2.sub.ipaexample.com --certificate-out ipa3.pem ipa: ERROR: invalid 'csr': IP address in subjectAltName (10.10.100.2) unreachable from DNS names
————————
3] With Single IP address
———————— #certutil -d . -R -a -o ipa.csr -s CN=ipa1.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.2
#openssl req -text < ipa.csr
Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.2
#ipa cert-request ipa.csr --principal host/ipa1.sub.ipaexample.com --certificate-out ipa.pem
Issuing CA: ipa Certificate: MIIEdDCCA1ygAwIBAgIBDzANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJTVUIuSVBBRVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDA2MDgxMzAwMDRaFw0yMjA2MDkxMzAwMDRaMD8xGzAZBgNVBAoMElNVQi5JUEFFWEFNUExFLkNPTTEgMB4GA1UEAwwXaXBhMS5zdWIuaXBhZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmOF6IjZS2HUMRSku/Q5aYIkqmiqGLL51J2rC9ck007nXO0KP6R5/Ims30pqfq6IGzQiLwI8p95Z5wex/8NFkvtbxPG66uieruhdeauWQunhsm07VxFuLnCYl7vpPoSe/f1sDkknLuXhWR5vwKEb1Al7VZXtPEbUkfZ0MO/YaFX+gUrCqeP/gHNNcSW8sN3w0feUzXui897ybTadzVGAgntD9DZbdp7f6qbB1FGAAAlmu4mlrz8a9SNekXlLLNCDa6ZzqDRn3mUv09qtnGZ6HXJW7aDx/U+cX8rVMg3CG9YW69eiANKg9jJfY73/KiSZZGoaS3wmQ3arz3ZxuiKaoPAgMBAAGjggF7MIIBdzAfBgNVHSMEGDAWgBRSxi7Y9FVHp4c2Wq96ZKRojRapzDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9pcGEtY2Euc3ViLmlwYWV4YW1wbGUuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB9BgNVHR8EdjB0MHKgOqA4hjZodHRwOi8vaXBhLWNhLnN1Yi5pcGFleGFtcGxlLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCyoKremA2dQ4GtKo29WynzaGYSwMEEGA1UdEQQ6MDiCF2lwYTEuc3ViLmlwYWV4YW1wbGUuY29tghdpcGEyLnN1Yi5pcGFleGFtcGxlLmNvbYcECgpkAjANBgkqhkiG9w0BAQsFAAOCAQEAUaR2fLw41Ljx/7XSQarNz4JN8JXuSZ5I+JAAcKgbcz8IGuWugaQw+Okp7ETvbc2WwDgLOhJ1JY22g6gx+7Y/aOJV/Md4HBbennZvWM2sCg7tOyim/7WxkG/435dhSRVEMwuGHAAEgmUpwnKquxW/gnwOZr5+e78JWsJUwA3R3x58GTxSdGmpTN8I+k9rEybjOC3mx53Ry3P2AhVRFa3BE5/KPZRV34kJ5D0TCGYuFYC4l44F2+xGoCwh1A8KQGtpqTDe8M8H3Qn+4FYpUMMJWmr/fZLxGPSYMzqk6llnNsgabrzmP9VQN81lXg44wbJwTAHv9LXbKocsKRrro+Y7mQ== Subject: CN=ipa1.sub.ipaexample.com,O=SUB.IPAEXAMPLE.COM Subject DNS name: ipa1.sub.ipaexample.com, ipa2.sub.ipaexample.com Issuer: CN=Certificate Authority,O=SUB.IPAEXAMPLE.COM Not Before: Mon Jun 08 13:00:04 2020 UTC Not After: Thu Jun 09 13:00:04 2022 UTC Serial number: 15 Serial number (hex): 0xF ———————————
4] When IP is not related to CN
# certutil -d . -R -a -o ipa4.csr -s CN=ipa1.sub.ipaexample.com --extSAN dns:ipa1.sub.ipaexample.com,dns:ipa2.sub.ipaexample.com,ip:10.10.100.3 # openssl req -text < ipa4.csr Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa1.sub.ipaexample.com, DNS:ipa2.sub.ipaexample.com, IP Address:10.10.100.3 # ipa cert-request ipa4.csr --principal host/ipa1.sub.ipaexample.com --certificate-out ipa4.pem ipa: ERROR: invalid 'csr': IP address in subjectAltName (10.10.100.3) unreachable from DNS names
Version-Release number of selected component (if applicable):
How reproducible: always
Metadata Update from @ftweedal: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1846349
PR: https://github.com/freeipa/freeipa/pull/4810
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4810
master:
ipa-4-8:
ipa-4-6:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.