On Tue, Dec 8, 2020 at 5:09 PM Derek Atkins <derek@ihtfp.com> wrote:
Hi Didi,
On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote:
On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins <derek@ihtfp.com> wrote:
Hi,
I'm running a single-host, hosted-engine Ovirt deployment, version 4.3.10 (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert does not have a SubjectAltName.
If I try to use pki-enroll-request.sh to rebuild the host cert and follow the instructions to add a --san, I get an error:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me --san=host.na.me
Please try with '--san=DNS:host.na.me'.
AHA, thank you... Thank worked.
Using configuration from openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'My Org Name' commonName :PRINTABLE:'host.na.me' ERROR: adding extensions in section v3_ca_san 139875647600528:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=host.na.me Cannot sign certificate
Am I using this script incorrectly?
You are using it well. --san argument is passed as-is to openssl's 'subjectAltName', which requires a prefix to tell its type. Search the net for 'openssl subjectAltName' for other examples.
Is there any chance this could be added to the --help output? An actual example would have been very useful.
Frankly, I'd prefer people (like you) that need to use these utilities manually, to search the net if they have problems, than spending hours debating about how long --help should be, what should be included in it and what not, what link we might provide for further reference (and please note that I didn't include such a link in my original reply - simply because I failed to find one that seemed "most suitable"), etc. That said, patches are welcome! If you think you can improve the current text in a conflict-free way, which everyone will agree to, please go ahead and push a patch! :-) BTW: What I personally do, is to search the code and/or relevant logs to see what other tools (the engine, engine-setup, in this case) do, as "reference examples". Best regards, -- Didi