Prashant Bapat wrote:
I tried the steps documented on a test VM. Looks like I ended up in the situation described here https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html.
Please be careful when pointing back at old threads. This issue was about expired certs. I suspect you found it because of a similar error message, but the underlying cause is completely unrelated.
You probably just need to add in the CA cert that issued the server certificate. I'd have thought that ipa-server-certinstall would enforce that but perhaps not.
I have one more question. Is there a way to disable HTTPS completely on the WebUI. I can add HTTPS on a load balancer in front of the UI to handle SSL.
It would be a rather terrible idea. You'd still have a lot of in-the-clear messaging between the IPA web server and the load balancer. I wouldn't recommend that there are real replay issues possible. You should re-encrypt, so terminate SSL at the load balancer and then open a new SSL session to IPA.
rob
On 18 June 2015 at 19:03, Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: Prashant Bapat wrote: Hi All, There is a way to change the certificate for the web UI. I went with a standard install with a self signed CA etc. Now I want to install a cert from a commercial CA. I don't mind using the IPA CA certs for the 389 DS, just want to change the cert for the UI. Any pointers on how to do this ? http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project