On Mon, Jul 17, 2017 at 10:18:40AM -0400, Mark Haney wrote:
> On 07/17/2017 09:27 AM, Fraser Tweedale wrote:
> >
> > https://tools.ietf.org/html/rfc6125#section-7.2
> >
> > This document states that the wildcard character '*' SHOULD NOT
> > be included in presented identifiers but MAY b
On 07/17/2017 09:27 AM, Fraser Tweedale wrote:
https://tools.ietf.org/html/rfc6125#section-7.2
This document states that the wildcard character '*' SHOULD NOT
be included in presented identifiers but MAY be checked by
application clients (mainly for the sake of backward
comp
On Mon, Jul 17, 2017 at 08:48:36AM -0400, Mark Haney wrote:
> On 07/16/2017 09:47 PM, Fraser Tweedale wrote:
> >
> > Glad you've figured it out.
> >
> > In general, there must be different certs on a replica because the
> > hostname is different. IPA does not do the work to figure out that
> > t
On 07/16/2017 09:47 PM, Fraser Tweedale wrote:
Glad you've figured it out.
In general, there must be different certs on a replica because the
hostname is different. IPA does not do the work to figure out that
the wildcard cert on the master will be valid for the replica too
and therefore use i
On Fri, Jul 14, 2017 at 07:47:39AM -0400, Mark Haney via FreeIPA-users wrote:
> On 07/13/2017 09:57 PM, Fraser Tweedale wrote:
> > OK, I think I understand.
> >
> > ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
> > set up with a certificate issued by the IPA CA, which your bro
On 07/13/2017 09:57 PM, Fraser Tweedale wrote:
OK, I think I understand.
ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
set up with a certificate issued by the IPA CA, which your browser
does not trust.
There are two ways forward here:
1. You can use ipa-server-certinstall
On Thu, Jul 13, 2017 at 09:57:04AM -0400, Mark Haney via FreeIPA-users wrote:
> On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
> >
> > Which version(s) of FreeIPA?
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> >
> > Which service(s) (HTTP, LDAP?).
> HTTPS. I haven't checked LDAPS yet. It appears
On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
Which version(s) of FreeIPA?
ipa-server-4.4.0-14.el7.centos.7.x86_64
Which service(s) (HTTP, LDAP?).
HTTPS. I haven't checked LDAPS yet. It appears this is only related to
HTTPS. To give a bit of backstory, the primary host [ipa0] was
instal
On Wed, Jul 12, 2017 at 01:20:36PM -0400, Mark Haney via FreeIPA-users wrote:
> I'm really new to FreeIPA, and this is probably a stupid question, but I
> just setup a replica of the primary (not in production) IPA server we have.
> However, the replica's SSL cert is untrusted, while the primary IP