On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote:
> BTW, there was related thread on freeipa-users in the past, with some
> links to
> related information:
> 
> https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html

So this writeup seems to ignore the fact that Apache and the
certificate store have already been established with mod_nss by the
time you are finished a FreeIPA installation and does nothing about
that in consideration of the fact that mod_nss and mod_ssl are mutually
exclusive (AFAIU) for a single port.

But yeah.  I did consider ditching mod_nss and replacing it with
mod_ssl but that seems like quite an extensive disruption to the
default FreeIPA Apache configuration.  In my experience, the further
you get out of the box with integration projects like FreeIPA, the more
fragile things are for future upgrading.

> I assume the only change since then is that FreeIPA now supports
> proper SAN
> extension.

Indeed, which seems to provide for a cleaner hack.  It leaves the
Apache configuration for FreeIPA intact and makes the future reversion,
when mod_nss properly supports SNI easier.

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to