On 07/16/2017 09:47 PM, Fraser Tweedale wrote:

Glad you've figured it out.

In general, there must be different certs on a replica because the
hostname is different.  IPA does not do the work to figure out that
the wildcard cert on the master will be valid for the replica too
and therefore use it for the replica services - and it almost
certainly never will (wildcard certs are deprecated).

But, during ipa-replica-intsall(1) you can provide certificates for
the Directory Server and Apache HTTPD via the --dirsrv-cert-file and
--http-cert-file options.  This way you can give the replica the
wildcard certs from the start, and it will not issue certs from the
IPA CA for these services.  This would have achieved the desired


That's good info to have, but I keep hearing that wildcard certs are deprecated/going away, but I've seen nothing from any sources (outside of mailing lists) that back that up. I'm curious as to why that is (I know why wildcards are considered bad), but why I've not seen anything remotely official on it.

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to