On 06/07/16 13:57, Rob Crittenden wrote:
lejeczek wrote:
hi users,

I'd like to ask if it possible to add (after deployment is finished) an
AltSubjectName to fIPA master?

I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking right but it should be doable.

I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's
IPs. Like eg. ipa-ca which seems to hold all servers IPs.

I started with:

$ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address
10.5.6.100(which is master's IP)

For what purpose, to make it easier for users to find the IPA server?
not, IPA, simplest thing I'd like have to use same apache IPA on all serves use - a local yum repos to be served from/via dns roundrobin.

but I feel I got of the wrong foot there, I see with ipa command:

ipa: ERROR: cert validation failed for...

((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.)

I assume you've already played with the certificates? The DNS change you made wouldn't cause this error.

no, actually I have not, I did not add a host nor a service nor a cert, there is no trace of "linux" anywhere, only dns A record - to get rid of the error I have to remove that new host & restart IPA.
rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to