Cool
Op do 1 aug. 2019 11:48 schreef Florence Blanc-Renaud <flo(a)redhat.com>:
On 7/31/19 3:42 PM, Rob Verduijn via FreeIPA-users wrote:
> Hi
>
> Thanx for the answer, sadly i've experienced that filing a bug with Red
> hat can be a real challenge when you know your stuff.
>
> Since I'm not very familiar with the rewrite rules in combination with
> freeipa I won't be able to answer any questions they have.
>
OK, I opened the following BZs:
for rhel 7.8 doc
https://bugzilla.redhat.com/show_bug.cgi?id=1735692
for rhel 8 doc
https://bugzilla.redhat.com/show_bug.cgi?id=1735696
flo
> Rob
>
> Op wo 31 jul. 2019 10:02 schreef Florence Blanc-Renaud via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>:
>
> On 7/30/19 10:00 AM, Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > I was doing some rtfm for migration of an ipa ca-renewal master
to a
> > different system.
> > I figured that the docs on migrating from rhel7 to rhel8 would be
> a nice
> > help for me to migrate from one centos7 to another centos 7
system.
> >
> > Something in the docs gave me pause.
> >
> > In the doc in chapter 17.4 instruction 4
> >
> >
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
> >
> > It states that on replicas at the bottom of the file
> > |/etc/httpd/conf.d/ipa-pki-proxy.conf you should uncomment the
> rewrite
> > rule and ensure it points to the 'ca renewal master'
> >
> Hi,
> the doc is incorrect, could you please file a bug?
>
> Whole explanation:
> to ensure that the CRL is consistent across all master/replicas, only
> one of them is generating the official CRL. This node is called the
CRL
> generation master. It writes the CRL into 2 locations: a file in
> /var/lib/ipa/pki-ca/publish/ and also into LDAP below
> cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (this part of the
> tree is
> replicated to all the replicas with a CA instance).
> On all the nodes, the CRL can be found at
> http://$hostname/ipa/crl/MasterCRL.bin.
>
> On the CRL generation master, this URL corresponds to the file stored
> locally in /var/lib/ipa/pki-ca/publish/MasterCRL.bin (see the
> /etc/httpd/conf.d/ipa.conf file which defines Alias /ipa/crl
> "/var/lib/ipa/pki-ca/publish").
>
> On the other replicas, the /etc/httpd/conf.d/ipa-pki-proxy.conf file
> configures a RewriteRule:
> ^/ipa/crl/MasterCRL.bin
> http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> [L,R=301,NC]
>
> This means that when a http client accesses
> http://$hostname/ipa/crl/MasterCRL.bin, it gets redirected to
> http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> (on
> the same host). This URL is processed by Dogtag servlets, which
perform
> an internal LDAP search on
> cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (remember, this
> suffix is
> replicated, meaning it contains the same data in the replica and in
the
> CRL generation master).
>
> So it's completely normal that the RewriteRule points to the
localhost
> and not to the CRL generation master.
>
> Hope this clarifies,
> flo
> > |
> > |However on the centos 7 freeipa replica it points to the
replica.|
> > |
> > |
> > |Is the configuration on the centos7 freeipa replica incorrect ?|
> > |Or is the instruction from redhat in need of updates ?|
> > |
> > |
> > |If it's the first, then the installation packages of freeipa on
> centos
> > need some attention, because I didn't configure that line as
such.|
> > |
> > |
> > |Cheers|
> > |Rob
> > |
> > |
> > |
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>