Hi Didi, On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote:
On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins <derek@ihtfp.com> wrote:
Hi,
I'm running a single-host, hosted-engine Ovirt deployment, version 4.3.10 (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert does not have a SubjectAltName.
If I try to use pki-enroll-request.sh to rebuild the host cert and follow the instructions to add a --san, I get an error:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me --san=host.na.me
Please try with '--san=DNS:host.na.me'.
AHA, thank you... Thank worked.
Using configuration from openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'My Org Name' commonName :PRINTABLE:'host.na.me' ERROR: adding extensions in section v3_ca_san 139875647600528:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=host.na.me Cannot sign certificate
Am I using this script incorrectly?
You are using it well. --san argument is passed as-is to openssl's 'subjectAltName', which requires a prefix to tell its type. Search the net for 'openssl subjectAltName' for other examples.
Is there any chance this could be added to the --help output? An actual example would have been very useful. Thanks again!
Best regards, -- Didi
-derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant