On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote:
On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote:
> Hi Fraser,
>
> On Fri, 11 Aug 2017 18:48:29 +1000
> Fraser Tweedale via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
wrote:
>
> > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users
wrote:
> > >
> > >
https://support.google.com/chrome/a/answer/7391219?hl=en
> > >
> > > How can I tell freeipa?
> > >
> > Hi Harald,
> >
> > Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
> > HTTP certificate with the appropriate DNS-NAME Subject Alt Name
> > value(s). Use `getcert list` to find the REQUEST-ID to use; it will
> > be the certificate in NSSDB `/etc/httpd/alias` with nickname
> > `Server-Cert`.
> >
>
> This worked, thanx very much.
>
> I would suggest to create web server certificate with appropriate
> SubjectAltName right from the start by ipa-server-install, but maybe
> this has alredy been fixed?
Yes, it is fixed in 4.5.3 and is going to be part of RHEL 7.4.z at some
point:
https://bugzilla.redhat.com/show_bug.cgi?id=1477046
Actually we have requested IPA service certificates with SAN for
several releases now. The recent change (#7007) is to change the
default profile to always add SAN, even if not explicitly requested.
Anyway, Harald's installation is obviously from a time before either
of those changes :)
Cheers,
Fraser
> See
https://pagure.io/freeipa/issue/7007 for more upstream details.
>
> --
> / Alexander Bokovoy