Matt . wrote: > HI Rob, > > Yes something is wrong there I guess.
In any case, it doesn't apply to what you're trying to do. > But still, I actually need to add a SAN to the webserver cert, which > is different I think than the services at least. > > So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob > > Cheers, > > Matt > > 2015-03-26 14:50 GMT+01:00 Rob Crittenden <[email protected]>: >> Matt . wrote: >>> When digging around I see this documentation: >>> >>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html >>> >>> I would except that server.example.com is not going to be accepted by >>> IPA when you visit the webgui like that ? >> >> These are SRV records for the ldap service. Think of it as discovery for >> who provides ldap service in the domain. It isn't something used by a >> web browser. >> >> I'm no DNS expert (by far) but this example looks a little wonky. I'd >> think it should be example.com and not server.example.com. But in any >> case it is irrelevant to a browser. >> >> rob >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
