>>Thanks Rob!
>>
>>Just to make it clear (at least for me), do I need to add a Principal Alias to the
Host/Service with the new domain?
>>As in, HOST/host1.example.com(a)EXAMPLE.COM needs to have an alias to
HTTP/webapp1.example.com(a)EXAMPLE.COM?
>
>You should not do that. Instead, create a host object in IPA and a service on it,
then
>add your host1 to the list of hosts allowed to manage this service.
>Remember that a host object
webapp1.example.com does not need to be
>enrolled, just has to exist in IPA for access control purposes.
>host1.example.com can control
webapp1.example.com and its services.
>
>This question is asked often on the list. You can see a follow thread
>for a concise description:
>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/6FISBEB4UCE5IGW2XMVVYRR6Q2WOZG46/
>
Thanks for the pointer Alexander. I actually did search the list, but searched for
"vhost" :P
Anyway, I did as in the thread you mentioned, the only difference
being that I used ipa-getcert and used the HOST key instead of the
HTTP key for the principal name, but certmonger can't seem to find the
"webapp1" ?
ca-error: Server at
https://ipa01.int.example.com/ipa/json failed
request, will retry: 4001 (The service principal for subject alt name
webapp1.int.example.com in certificate request does not exist).
both HTTP/webapp1.int.example.com and
HOST/host1.int.example.com exist and the host object
itself for both also exist.
I feel like I'm missing something obvious...
Please show exact sequence of what you did.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland