Hi
Thanx for the answer, sadly i've experienced that filing a bug with Red hat
can be a real challenge when you know your stuff.
Since I'm not very familiar with the rewrite rules in combination with
freeipa I won't be able to answer any questions they have.
Rob
Op wo 31 jul. 2019 10:02 schreef Florence Blanc-Renaud via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>:
On 7/30/19 10:00 AM, Rob Verduijn via FreeIPA-users wrote:
> Hello,
>
> I was doing some rtfm for migration of an ipa ca-renewal master to a
> different system.
> I figured that the docs on migrating from rhel7 to rhel8 would be a nice
> help for me to migrate from one centos7 to another centos 7 system.
>
> Something in the docs gave me pause.
>
> In the doc in chapter 17.4 instruction 4
>
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>
> It states that on replicas at the bottom of the file
> |/etc/httpd/conf.d/ipa-pki-proxy.conf you should uncomment the rewrite
> rule and ensure it points to the 'ca renewal master'
>
Hi,
the doc is incorrect, could you please file a bug?
Whole explanation:
to ensure that the CRL is consistent across all master/replicas, only
one of them is generating the official CRL. This node is called the CRL
generation master. It writes the CRL into 2 locations: a file in
/var/lib/ipa/pki-ca/publish/ and also into LDAP below
cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (this part of the tree is
replicated to all the replicas with a CA instance).
On all the nodes, the CRL can be found at
http://$hostname/ipa/crl/MasterCRL.bin.
On the CRL generation master, this URL corresponds to the file stored
locally in /var/lib/ipa/pki-ca/publish/MasterCRL.bin (see the
/etc/httpd/conf.d/ipa.conf file which defines Alias /ipa/crl
"/var/lib/ipa/pki-ca/publish").
On the other replicas, the /etc/httpd/conf.d/ipa-pki-proxy.conf file
configures a RewriteRule:
^/ipa/crl/MasterCRL.bin
http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[L,R=301,NC]
This means that when a http client accesses
http://$hostname/ipa/crl/MasterCRL.bin, it gets redirected to
http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL (on
the same host). This URL is processed by Dogtag servlets, which perform
an internal LDAP search on
cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (remember, this suffix is
replicated, meaning it contains the same data in the replica and in the
CRL generation master).
So it's completely normal that the RewriteRule points to the localhost
and not to the CRL generation master.
Hope this clarifies,
flo
> |
> |However on the centos 7 freeipa replica it points to the replica.|
> |
> |
> |Is the configuration on the centos7 freeipa replica incorrect ?|
> |Or is the instruction from redhat in need of updates ?|
> |
> |
> |If it's the first, then the installation packages of freeipa on centos
> need some attention, because I didn't configure that line as such.|
> |
> |
> |Cheers|
> |Rob
> |
> |
> |
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...