[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh
Hi Didi,
On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote:
On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins <derek(a)ihtfp.com>
wrote:
>
> Hi,
>
> I'm running a single-host, hosted-engine Ovirt deployment, version
> 4.3.10
> (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert
> does
> not have a SubjectAltName.
>
> If I try to use pki-enroll-request.sh to rebuild the host cert and
> follow
> the instructions to add a --san, I get an error:
>
> /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me
> --san=host.na.me
Please try with '--san=DNS:host.na.me'.
AHA, thank you... Thank worked.
> Using configuration from openssl.conf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> organizationName :PRINTABLE:'My Org Name'
> commonName :PRINTABLE:'host.na.me'
> ERROR: adding extensions in section v3_ca_san
> 139875647600528:error:2207507C:X509 V3
> routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531:
> 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error
> in
> extension:v3_conf.c:95:name=subjectAltName, value=host.na.me
> Cannot sign certificate
>
> Am I using this script incorrectly?
You are using it well. --san argument is passed as-is to openssl's
'subjectAltName', which requires a prefix to tell its type. Search the
net for 'openssl subjectAltName' for other examples.
Is there any chance this could be added to the --help output?
An actual example would have been very useful.
Thanks again!
Best regards,
--
Didi
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant