On 7/30/19 10:00 AM, Rob Verduijn via FreeIPA-users wrote:
Hello,
I was doing some rtfm for migration of an ipa ca-renewal master to a
different system.
I figured that the docs on migrating from rhel7 to rhel8 would be a nice
help for me to migrate from one centos7 to another centos 7 system.
Something in the docs gave me pause.
In the doc in chapter 17.4 instruction 4
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
It states that on replicas at the bottom of the file
|/etc/httpd/conf.d/ipa-pki-proxy.conf you should uncomment the rewrite
rule and ensure it points to the 'ca renewal master'
Hi,
the doc is incorrect, could you please file a bug?
Whole explanation:
to ensure that the CRL is consistent across all master/replicas, only
one of them is generating the official CRL. This node is called the CRL
generation master. It writes the CRL into 2 locations: a file in
/var/lib/ipa/pki-ca/publish/ and also into LDAP below
cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (this part of the tree is
replicated to all the replicas with a CA instance).
On all the nodes, the CRL can be found at
http://$hostname/ipa/crl/MasterCRL.bin.
On the CRL generation master, this URL corresponds to the file stored
locally in /var/lib/ipa/pki-ca/publish/MasterCRL.bin (see the
/etc/httpd/conf.d/ipa.conf file which defines Alias /ipa/crl
"/var/lib/ipa/pki-ca/publish").
On the other replicas, the /etc/httpd/conf.d/ipa-pki-proxy.conf file
configures a RewriteRule:
^/ipa/crl/MasterCRL.bin
http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]
This means that when a http client accesses
http://$hostname/ipa/crl/MasterCRL.bin, it gets redirected to
http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL (on
the same host). This URL is processed by Dogtag servlets, which perform
an internal LDAP search on
cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (remember, this suffix is
replicated, meaning it contains the same data in the replica and in the
CRL generation master).
So it's completely normal that the RewriteRule points to the localhost
and not to the CRL generation master.
Hope this clarifies,
flo
|
|However on the centos 7 freeipa replica it points to the replica.|
|
|
|Is the configuration on the centos7 freeipa replica incorrect ?|
|Or is the instruction from redhat in need of updates ?|
|
|
|If it's the first, then the installation packages of freeipa on centos
need some attention, because I didn't configure that line as such.|
|
|
|Cheers|
|Rob
|
|
|
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...