On 07/16/2017 09:47 PM, Fraser Tweedale wrote:
Glad you've figured it out.
In general, there must be different certs on a replica because the hostname is different. IPA does not do the work to figure out that the wildcard cert on the master will be valid for the replica too and therefore use it for the replica services - and it almost certainly never will (wildcard certs are deprecated).
But, during ipa-replica-intsall(1) you can provide certificates for the Directory Server and Apache HTTPD via the --dirsrv-cert-file and --http-cert-file options. This way you can give the replica the wildcard certs from the start, and it will not issue certs from the IPA CA for these services. This would have achieved the desired outcome.
Cheers, Fraser
That's good info to have, but I keep hearing that wildcard certs are deprecated/going away, but I've seen nothing from any sources (outside of mailing lists) that back that up. I'm curious as to why that is (I know why wildcards are considered bad), but why I've not seen anything remotely official on it.