Fix from ticket https://pagure.io/freeipa/issue/4970 must be backported to fedora 25 and 26, because chrome stops supporting certificates without SAN
Backporting the patch will solve only new installs but it won't update existing installations. Martin, could you provide a command which will renew the cert with the required extensions.
*** Bug 1445927 has been marked as a duplicate of this bug. ***
Please follow steps in following email https://www.redhat.com/archives/freeipa-users/2017-April/msg00197.html to renew certificate with SAN extension
Then Marco Rhodes transformed it into a simple Ansible playbook: - name: add SAN extension to IPA Apache SSL certificates hosts: ipa_v4 gather_facts: no tasks: - name: certmonger - resubmit Apache SSL CSR with SAN extension shell: getcert resubmit -d /etc/httpd/alias -n 'Server-Cert' -D `hostname -f` -w -v become: true register: resubmit_result - debug: var=resubmit_result.stdout_lines - name: certmonger - list tracking status for Apache SSL certificate shell: getcert list -d /etc/httpd/alias/ -n 'Server-Cert' |egrep " ID|status:|stuck:|certificate:|expires:" become: true register: list_result - debug: var=list_result.stdout_lines
This has been fixed since IPA 4.4.1. https://pagure.io/freeipa/c/b12db924143cd6828c596c0b8a261325f3f589f3