I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer:
no alternative certificate subject name matches target host name 'ldap-01.domain....' I think this is strange as the certificate shows the ldap under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. 2015-03-26 16:48 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> HI Rob, >> >> Yes something is wrong there I guess. > > In any case, it doesn't apply to what you're trying to do. > >> But still, I actually need to add a SAN to the webserver cert, which >> is different I think than the services at least. >> >> So the question there is... how ? > > What webserver cert? Are you trying to load balance the IPA services via > DNS? > > Not knowing what you want, I'm just answering what you are ASKING. That > is not the same as giving a proper answer. I have the feeling you want > to load balance IPA in general which isn't going to work without a ton > of (ongoing) manual effort. Even Microsoft recommends against trying > this in its AD environment: http://support.microsoft.com/en-us/kb/325608 > > In any case, the instructions I've already provided still apply. > > If you want to replace the Apache webserver cert you'll just need to do > a couple of things first which has the potential of completely breaking > IPA, so you'll need to be careful. > > Before you do anything, backup *.db in /etc/httpd/alias. > > Stop tracking the Apache cert in certmonger: > > # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert > > Delete the existing cert: > > # certutil -D -d /etc/httpd/alias -n Server-Cert > > Like I said, destructive. > > Finally use certmonger to get a new cert that includes a SAN. The syntax > is slightly different than before, mostly because I'm just guessing in > the dark because you aren't including enough details into what you're > trying. > > # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com > -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt > > In this case the IPA server is ipa1.example.com and you're creating a > SAN for ipa.example.com. > > Restart httpd. > > Note that this doesn't solve the Kerberos problem so cli access will > still not work as expected. The UI _might_ work using forms-based > authentication. > > I'd strongly urge you to think about the top of this e-mail before > proceeding onto the bottom. > > rob > >> >> Cheers, >> >> Matt >> >> 2015-03-26 14:50 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>> Matt . wrote: >>>> When digging around I see this documentation: >>>> >>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html >>>> >>>> I would except that server.example.com is not going to be accepted by >>>> IPA when you visit the webgui like that ? >>> >>> These are SRV records for the ldap service. Think of it as discovery for >>> who provides ldap service in the domain. It isn't something used by a >>> web browser. >>> >>> I'm no DNS expert (by far) but this example looks a little wonky. I'd >>> think it should be example.com and not server.example.com. But in any >>> case it is irrelevant to a browser. >>> >>> rob >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
