Since we changed the way freeipa uses dogtag by configuring proxied access via AJP, upgrades are broken as dogtag configuration is not changed but constants.py uses the new ports.
This is a critical defect that should be fixed asap. Depends on dogtag.
Adam please provide a manual procedure to fix it. We will send it to the lists until the fix is ready.
There are three files that need to be addressed.
On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is
/var/lib/pki-ca/conf/server.xml
It needs the addition:
You can place it around line 281, above the comment for the line <Engine name="Catalina" defaultHost="localhost">
Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml
For each of the filter entries it needs the code addition below:
<init-param> <param-name>proxy_port</param-name> <param-value>443</param-value> </init-param>
<init-param> <param-name>active</param-name> <param-value>true</param-value> </init-param>
</filter>
The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d
Additional change required:
/var/lib/pki-ca/conf/CS.cfg
http.port=8080 https.port=8443
This is a duplicate of 1771
Do we want to automatically trigger the proxy upgrade upon install of the new IPA RPMS? It is easy enough to run a script that conditionally upgrades if the proxy file is not in place in /etc/httpd/conf.d and the PKI server is installed. Or, should it be on the end user to run the upgrade script?
ipa-2-1: [[BR]] 8cfddc3[[BR]] f30924d
master:[[br]] f3ca061[[br]] 12cc78c[[br]] ae65c01
Metadata Update from @simo: - Issue assigned to admiyo - Issue set to the milestone: FreeIPA 2.1.3 (bug fixing)
Login to comment on this ticket.