[Freeipa-users] Re: ipa ca renewal master and ipa replica

On 7/30/19 10:00 AM, Rob Verduijn via FreeIPA-users wrote: > Hello, > > I was doing some rtfm for migration of an ipa ca-renewal master to a > different system. > I figured that the docs on migrating from rhel7 to rhel8 would be a nice > help for me to migrate from one centos7 to another centos 7 system. > > Something in the docs gave me pause. > > In the doc in chapter 17.4 instruction 4 > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > > It states that on replicas at the bottom of the file > |/etc/httpd/conf.d/ipa-pki-proxy.conf you should uncomment the rewrite > rule and ensure it points to the 'ca renewal master' > Hi, the doc is incorrect, could you please file a bug? Whole explanation: to ensure that the CRL is consistent across all master/replicas, only one of them is generating the official CRL. This node is called the CRL generation master. It writes the CRL into 2 locations: a file in /var/lib/ipa/pki-ca/publish/ and also into LDAP below cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (this part of the tree is replicated to all the replicas with a CA instance). On all the nodes, the CRL can be found at http://$hostname/ipa/crl/MasterCRL.bin. On the CRL generation master, this URL corresponds to the file stored locally in /var/lib/ipa/pki-ca/publish/MasterCRL.bin (see the /etc/httpd/conf.d/ipa.conf file which defines Alias /ipa/crl "/var/lib/ipa/pki-ca/publish"). On the other replicas, the /etc/httpd/conf.d/ipa-pki-proxy.conf file configures a RewriteRule: ^/ipa/crl/MasterCRL.bin http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] This means that when a http client accesses http://$hostname/ipa/crl/MasterCRL.bin, it gets redirected to http://$hostname/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL (on the same host). This URL is processed by Dogtag servlets, which perform an internal LDAP search on cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca (remember, this suffix is replicated, meaning it contains the same data in the replica and in the CRL generation master). So it's completely normal that the RewriteRule points to the localhost and not to the CRL generation master. Hope this clarifies, flo > | > |However on the centos 7 freeipa replica it points to the replica.| > | > | > |Is the configuration on the centos7 freeipa replica incorrect ?| > |Or is the instruction from redhat in need of updates ?| > | > | > |If it's the first, then the installation packages of freeipa on centos > need some attention, because I didn't configure that line as such.| > | > | > |Cheers| > |Rob > | > | > | > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...