Thomas Boroske via FreeIPA-users wrote:
Flo always solves my IPA problems, even with a 4 year old answer :-)
Thanks again for that.
For people searching this later: The problem can be fixed using:
$ getcert list -f /var/kerberos/krb5kdc/kdc.crt (note the request Id) $ getcert resubmit -i <request id> $ getcert list -i <request id>
After that, the kdc.crt is a new one, and this one contains the Subject Alternative Name field.
And web logins immediately work again.
To throw in a little certmonger tip, you can do it all in one step:
# getcert resubmit -f /var/kerberos/krb5kdc/kdc.crt -v -w
resubmit and list can take more or less the same options. -v is verbose mode and will display the states of the request. -w will wait for it to pass or fail.
rob