This ticket is being filed to address the changes that are a part of the following Dogtag ticket:
Basically, the Dogtag change requires the Dogtag Clone's SSL Server certificate (located on the IPA Replica) to be issued by its associated Dogtag Master (located on the IPA Master).
Basically, the following change needs to take place in the IPA Master's '/etc/httdp/conf.d/ipa-pki-proxy.cfg' file. Change:
# matches for ee port <LocationMatch "^^/ca/ee/ca/checkRequest|^^/ca/ee/ca/getCertChain|^^/ca/ee/ca/getTo kenInfo|^^/ca/ee/ca/tokenAuthenticate|^^/ca/ocsp|^^/ca/ee/ca/updateNumberRange|^^/ca /ee/ca/getCRL"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:8009 ProxyPassReverse ajp://localhost:8009 </LocationMatch>
to:
# matches for ee port <LocationMatch "^^/ca/ee/ca/checkRequest|^^/ca/ee/ca/getCertChain|^^/ca/ee/ca/getTo kenInfo|^^/ca/ee/ca/tokenAuthenticate|^^/ca/ocsp|^^/ca/ee/ca/updateNumberRange|^^/ca /ee/ca/getCRL**|^^/ca/ee/ca/profileSubmit**"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:8009 ProxyPassReverse ajp://localhost:8009 </LocationMatch>
attachment freeipa-mkosek-464-proxy-pki-clone-ca-ee-ca-profilesubmit-uri.patch
Patch freeipa-mkosek-464-proxy-pki-clone-ca-ee-ca-profilesubmit-uri.patch sent for review
master:
ipa-3-3:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1080865
Metadata Update from @mharmsen: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.3.5 (bug fixing)
Login to comment on this ticket.