[Freeipa-users] ipa server(master) and alternative name
lejeczek
peljasz at yahoo.co.uk
Wed Jul 6 13:20:47 UTC 2016
On 06/07/16 13:57, Rob Crittenden wrote:
> lejeczek wrote:
>> hi users,
>>
>> I'd like to ask if it possible to add (after deployment
>> is finished) an
>> AltSubjectName to fIPA master?
>
> I don't see why not, they are just certs after all. You
> would need to be careful to get the certmonger tracking
> right but it should be doable.
>
>> I shall say what I'm hoping to achieve - having 3 servers
>> I hope to have
>> in IPA's DNS a host, A record that will be resolving to
>> three server's
>> IPs. Like eg. ipa-ca which seems to hold all servers IPs.
>>
>> I started with:
>>
>> $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address
>> 10.5.6.100(which is master's IP)
>
> For what purpose, to make it easier for users to find the
> IPA server?
not, IPA, simplest thing I'd like have to use same apache
IPA on all serves use - a local yum repos to be served
from/via dns roundrobin.
>
>> but I feel I got of the wrong foot there, I see with ipa
>> command:
>>
>> ipa: ERROR: cert validation failed for...
>>
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
>> has been marked
>> as not trusted by the user.)
>
> I assume you've already played with the certificates? The
> DNS change you made wouldn't cause this error.
>
no, actually I have not, I did not add a host nor a service
nor a cert, there is no trace of "linux" anywhere, only dns
A record - to get rid of the error I have to remove that new
host & restart IPA.
> rob
>
More information about the Freeipa-users
mailing list