Hi, This should be it and worked for generating the cert with the altname ldap.domain.tld
When I login and I go to services I get the following: cannot connect to 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate. So I'm a little bit confused here as the certificate contains both hostnames. A simple wget says the ldap-01 doesn't exist also: https://ldap-01.domain.tld/ipa/json Connecting to ldap-01.domain.tld (ldap-01.domain.tld)|10.100.0.251|:443... connected. ERROR: no certificate subject alternative name matches requested host name 'ldap-01.domain.tld'. To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'. 2015-03-26 20:43 GMT+01:00 Matt . <[email protected]>: > Hi Rob, > > Thank you very much! > > I think this will work out as it's only https traffic. > > I will report back! > > Thanks a lot! > > Matt > > 2015-03-26 16:48 GMT+01:00 Rob Crittenden <[email protected]>: >> Matt . wrote: >>> HI Rob, >>> >>> Yes something is wrong there I guess. >> >> In any case, it doesn't apply to what you're trying to do. >> >>> But still, I actually need to add a SAN to the webserver cert, which >>> is different I think than the services at least. >>> >>> So the question there is... how ? >> >> What webserver cert? Are you trying to load balance the IPA services via >> DNS? >> >> Not knowing what you want, I'm just answering what you are ASKING. That >> is not the same as giving a proper answer. I have the feeling you want >> to load balance IPA in general which isn't going to work without a ton >> of (ongoing) manual effort. Even Microsoft recommends against trying >> this in its AD environment: http://support.microsoft.com/en-us/kb/325608 >> >> In any case, the instructions I've already provided still apply. >> >> If you want to replace the Apache webserver cert you'll just need to do >> a couple of things first which has the potential of completely breaking >> IPA, so you'll need to be careful. >> >> Before you do anything, backup *.db in /etc/httpd/alias. >> >> Stop tracking the Apache cert in certmonger: >> >> # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert >> >> Delete the existing cert: >> >> # certutil -D -d /etc/httpd/alias -n Server-Cert >> >> Like I said, destructive. >> >> Finally use certmonger to get a new cert that includes a SAN. The syntax >> is slightly different than before, mostly because I'm just guessing in >> the dark because you aren't including enough details into what you're >> trying. >> >> # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com >> -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt >> >> In this case the IPA server is ipa1.example.com and you're creating a >> SAN for ipa.example.com. >> >> Restart httpd. >> >> Note that this doesn't solve the Kerberos problem so cli access will >> still not work as expected. The UI _might_ work using forms-based >> authentication. >> >> I'd strongly urge you to think about the top of this e-mail before >> proceeding onto the bottom. >> >> rob >> >>> >>> Cheers, >>> >>> Matt >>> >>> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <[email protected]>: >>>> Matt . wrote: >>>>> When digging around I see this documentation: >>>>> >>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html >>>>> >>>>> I would except that server.example.com is not going to be accepted by >>>>> IPA when you visit the webgui like that ? >>>> >>>> These are SRV records for the ldap service. Think of it as discovery for >>>> who provides ldap service in the domain. It isn't something used by a >>>> web browser. >>>> >>>> I'm no DNS expert (by far) but this example looks a little wonky. I'd >>>> think it should be example.com and not server.example.com. But in any >>>> case it is irrelevant to a browser. >>>> >>>> rob >>>> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
