Hi Freeipa Team
Am I correct that only if freeipa's internal DNS is active and current
that freeipa can issue certificates if IP addresses are in the SAN part
of the cert? Even if DNSSec supported resolvers with accurate info are
on the same RFC1918 subnet as freeipa and nslookup / dig report proper
answers?
I hit a wall trying to re-issue a certificate. We had freeipa's DNS
running a few years ago, when the certs were first issued. then migrated
to another resolver with better HA dnssec support.
Would freeipa be able to issue IPs in certificates if I enabled
freeipa's dns system but pointed it off-host for all resolutions? Or
is it required the DNS records be in local LDAP 'no matter what'.
Or perhaps a 'force because I actually do know what I'm doing' command
to issue such certificates with IPs in the SAN?
I feel like I'm missing something obvious here, so please help me out.
Thanks
Harry
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
