On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote: > BTW, there was related thread on freeipa-users in the past, with some > links to > related information: > > https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html
So this writeup seems to ignore the fact that Apache and the certificate store have already been established with mod_nss by the time you are finished a FreeIPA installation and does nothing about that in consideration of the fact that mod_nss and mod_ssl are mutually exclusive (AFAIU) for a single port. But yeah. I did consider ditching mod_nss and replacing it with mod_ssl but that seems like quite an extensive disruption to the default FreeIPA Apache configuration. In my experience, the further you get out of the box with integration projects like FreeIPA, the more fragile things are for future upgrading. > I assume the only change since then is that FreeIPA now supports > proper SAN > extension. Indeed, which seems to provide for a cleaner hack. It leaves the Apache configuration for FreeIPA intact and makes the future reversion, when mod_nss properly supports SNI easier. Cheers, b.
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project