On la, 25 helmi 2023, Carlos Mogas da Silva via FreeIPA-users wrote:
Thanks Rob!
Just to make it clear (at least for me), do I need to add a Principal Alias to
the Host/Service with the new domain?
As in, HOST/[email protected] needs to have an alias to
HTTP/[email protected]?
You should not do that. Instead, create a host object in IPA and a service on
it, then
add your host1 to the list of hosts allowed to manage this service.
Remember that a host object webapp1.example.com does not need to be
enrolled, just has to exist in IPA for access control purposes.
host1.example.com can control webapp1.example.com and its services.
This question is asked often on the list. You can see a follow thread
for a concise description:
https://lists.fedorahosted.org/archives/list/[email protected]/thread/6FISBEB4UCE5IGW2XMVVYRR6Q2WOZG46/
Thanks for the pointer Alexander. I actually did search the list, but searched for
"vhost" :P
Anyway, I did as in the thread you mentioned, the only difference
being that I used ipa-getcert and used the HOST key instead of the
HTTP key for the principal name, but certmonger can't seem to find the
"webapp1" ?
ca-error: Server at https://ipa01.int.example.com/ipa/json failed
request, will retry: 4001 (The service principal for subject alt name
webapp1.int.example.com in certificate request does not exist).
both HTTP/webapp1.int.example.com and HOST/host1.int.example.com exist and the
host object itself for both also exist.
I feel like I'm missing something obvious...
Please show exact sequence of what you did.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
