Ugh, that’s an ugly situation. All UCS services and servers expect to use and see the host name as it is now. Meaning that if you re-issue the certificate for the host
ucs01 with host name
mdc01, you’ll end up with not a lot working afterwards anymore because now all UCS services will fail to connect.
Yeah, that’s exactly what you should do. That way both the old and the new name are part of the certificate. It should satisfy both UCS services and your other clients. The
common name field isn’t all that important nowadays.
I seem to remember that the renew process re-uses the existing CSR (certificate signing request), and that one only includes the
subjectAltName properties from the configuration as they were when the CSR was generated. Therefore you’ll have to re-generate the CSR (the
req.pem file) from your config now. Maybe something like this:
openssl req -batch -config openssl.cnf -new -key private.key -out req.pem
chown "root:DC Backup Hosts" req.pem
chmod 0640 req.pem
Afterwards try the
renew process again. If it works, don’t forget to restart all services, or better yet, reboot.
Oh, and create a full backup of
/etc/univention/ssl before you do any of those things above