While trying to set up FreeIPA with multiple masters and a cert from an external CA, the documentation's a bit unclear on some specific problems.
If you take a look here:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
The page specifies how to update the cert, but it doesn't specify that you need to do this for each replica.
Problem being that I wasn't sure whether the multi-master replication takes care of that, or if this is something that needs to be manually done.
It would also be good if it mentioned that this method is viable even if FreeIPA is installed with an internal CA.
We thought we would have to reinstall the system to explicitly remove the internal CA component.
Another minor issue, but I wouldn't mind knowing that:
# ipa-server-certinstall -w -d mysite.key mysite.crt
the -d and -w actually represent the two services. Although you can figure that out fairly easily.
-d
-w
Best, Juraj
Metadata Update from @frenaud: - Issue assigned to frenaud
Hi, thanks for your comments. I updated the wiki page, can you check if the update addresses your comments?
Note: if FreeIPA is deployed on multiple servers (master and replicas), the procedure must be applied on each server and requires a SSL certificate/private SSL key for each server. Note2: this procedure can be applied to change the HTTP/LDAP server certificates even if FreeIPA was initially deployed with an embedded CA.
and
The option -w|--http installs the certificate for the HTTP server, and -d|--dirsrv installs the certificate for the LDAP server. Please see ipa-server-certinstall(1) man page for more information regarding all the available options.
Hey there,
Yeah, that's perfect. Appreciate the fast response!
Issue can be closed, far as I'm concerned.
Metadata Update from @frenaud: - Custom field affects_doc adjusted to on - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.