Matt . wrote:
> HI Rob,
> Yes something is wrong there I guess.

In any case, it doesn't apply to what you're trying to do.

> But still, I actually need to add a SAN to the webserver cert, which
> is different I think than the services at least.
> So the question there is... how ?

What webserver cert? Are you trying to load balance the IPA services via

Not knowing what you want, I'm just answering what you are ASKING. That
is not the same as giving a proper answer. I have the feeling you want
to load balance IPA in general which isn't going to work without a ton
of (ongoing) manual effort. Even Microsoft recommends against trying
this in its AD environment:

In any case, the instructions I've already provided still apply.

If you want to replace the Apache webserver cert you'll just need to do
a couple of things first which has the potential of completely breaking
IPA, so you'll need to be careful.

Before you do anything, backup *.db in /etc/httpd/alias.

Stop tracking the Apache cert in certmonger:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

Delete the existing cert:

# certutil -D -d /etc/httpd/alias -n Server-Cert

Like I said, destructive.

Finally use certmonger to get a new cert that includes a SAN. The syntax
is slightly different than before, mostly because I'm just guessing in
the dark because you aren't including enough details into what you're

# ipa-getcert -d /etc/httpd/alias -n Server-Cert -N
-K HTTP/ -D -p /etc/httpd/alias/pwdfile.txt

In this case the IPA server is and you're creating a
SAN for

Restart httpd.

Note that this doesn't solve the Kerberos problem so cli access will
still not work as expected. The UI _might_ work using forms-based

I'd strongly urge you to think about the top of this e-mail before
proceeding onto the bottom.


> Cheers,
> Matt
> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <>:
>> Matt . wrote:
>>> When digging around I see this documentation:
>>> I would except that is not going to be accepted by
>>> IPA when you visit the webgui like that ?
>> These are SRV records for the ldap service. Think of it as discovery for
>> who provides ldap service in the domain. It isn't something used by a
>> web browser.
>> I'm no DNS expert (by far) but this example looks a little wonky. I'd
>> think it should be and not But in any
>> case it is irrelevant to a browser.
>> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to