> Thanks Rob!
>
> Just to make it clear (at least for me), do I need to add a Principal Alias to the
Host/Service with the new domain?
> As in, HOST/host1.example.com(a)EXAMPLE.COM needs to have an alias to
HTTP/webapp1.example.com(a)EXAMPLE.COM?
You should not do that. Instead, create a host object in IPA and a service on it, then
add your host1 to the list of hosts allowed to manage this service.
Remember that a host object
webapp1.example.com does not need to be
enrolled, just has to exist in IPA for access control purposes.
host1.example.com can control
webapp1.example.com and its services.
This question is asked often on the list. You can see a follow thread
for a concise description:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Thanks for the pointer Alexander. I actually did search the list, but searched for
"vhost" :P
Anyway, I did as in the thread you mentioned, the only difference being that I used
ipa-getcert and used the HOST key
instead of the HTTP key for the principal name, but certmonger can't seem to find the
"webapp1" ?
ca-error: Server at
https://ipa01.int.example.com/ipa/json failed request, will retry:
4001 (The service principal for
subject alt name
webapp1.int.example.com in certificate request does not exist).
both HTTP/webapp1.int.example.com and
HOST/host1.int.example.com exist and the host object
itself for both also exist.
I feel like I'm missing something obvious...
Thanks again!