[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins <derek(a)ihtfp.com> wrote:
Hi,
I'm running a single-host, hosted-engine Ovirt deployment, version 4.3.10
(upgraded from 4.0->4.1->4.2) and it's complaining that my host cert does
not have a SubjectAltName.
If I try to use pki-enroll-request.sh to rebuild the host cert and follow
the instructions to add a --san, I get an error:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me
--san=host.na.me
Please try with '--san=DNS:host.na.me'.
Using configuration from openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName :PRINTABLE:'My Org Name'
commonName :PRINTABLE:'host.na.me'
ERROR: adding extensions in section v3_ca_san
139875647600528:error:2207507C:X509 V3
routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531:
139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:95:name=subjectAltName, value=host.na.me
Cannot sign certificate
Am I using this script incorrectly?
You are using it well. --san argument is passed as-is to openssl's
'subjectAltName', which requires a prefix to tell its type. Search the
net for 'openssl subjectAltName' for other examples.
Best regards,
--
Didi