|
 |
76b7d5 |
From 036d6fbf3d2af9f805f28f03679afc6ae1c25282 Mon Sep 17 00:00:00 2001
|
|
|
ff14fa |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
76b7d5 |
Date: Fri, 17 Feb 2017 15:59:57 +0100
|
|
|
ff14fa |
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
|
|
|
ff14fa |
|
|
|
ff14fa |
When ipa-server-install configures PKI, it provides a configuration file
|
|
|
ff14fa |
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
|
|
|
ff14fa |
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
|
|
|
ff14fa |
|
|
|
76b7d5 |
protocol="AJP/1.3"
|
|
|
76b7d5 |
redirectPort="8443"
|
|
|
76b7d5 |
address="::1" />
|
|
|
ff14fa |
ie all requests to port 8009 are redirected to port 8443 on address ::1.
|
|
|
ff14fa |
|
|
|
ff14fa |
If the /etc/hosts config file does not define ::1 for localhost, then AJP
|
|
|
ff14fa |
redirection fails and replica install is not able to request a certificate
|
|
|
ff14fa |
for the replica.
|
|
|
ff14fa |
|
|
|
ff14fa |
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
|
|
|
ff14fa |
redirection with "localhost", FreeIPA does not need any more to override
|
|
|
ff14fa |
this setting.
|
|
|
76b7d5 |
The code now depends on pki 10.3.5-11 which provides the fix in the template
|
|
|
76b7d5 |
and the upgrade.
|
|
|
ff14fa |
|
|
|
ff14fa |
https://fedorahosted.org/freeipa/ticket/6575
|
|
|
ff14fa |
|
|
|
ff14fa |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
ff14fa |
---
|
|
|
ff14fa |
freeipa.spec.in | 4 ++--
|
|
|
ff14fa |
ipaserver/install/cainstance.py | 4 ----
|
|
|
ff14fa |
2 files changed, 2 insertions(+), 6 deletions(-)
|
|
|
ff14fa |
|
|
|
ff14fa |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
ff14fa |
index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
|
|
|
ff14fa |
--- a/freeipa.spec.in
|
|
|
ff14fa |
+++ b/freeipa.spec.in
|
|
|
ff14fa |
@@ -159,8 +159,8 @@ Requires(post): systemd-units
|
|
|
ff14fa |
Requires: selinux-policy >= %{selinux_policy_version}
|
|
|
ff14fa |
Requires(post): selinux-policy-base >= %{selinux_policy_version}
|
|
|
ff14fa |
Requires: slapi-nis >= %{slapi_nis_version}
|
|
|
ff14fa |
-Requires: pki-ca >= 10.3.4
|
|
|
ff14fa |
-Requires: pki-kra >= 10.3.4
|
|
|
ff14fa |
+Requires: pki-ca >= 10.3.5-11
|
|
|
ff14fa |
+Requires: pki-kra >= 10.3.5-11
|
|
|
ff14fa |
Requires(preun): python systemd-units
|
|
|
ff14fa |
Requires(postun): python systemd-units
|
|
|
ff14fa |
Requires: zip
|
|
|
ff14fa |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
ff14fa |
index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
|
|
|
ff14fa |
--- a/ipaserver/install/cainstance.py
|
|
|
ff14fa |
+++ b/ipaserver/install/cainstance.py
|
|
|
ff14fa |
@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
|
|
|
ff14fa |
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
|
|
|
ff14fa |
config.set("CA", "pki_external_step_two", "True")
|
|
|
ff14fa |
|
|
|
ff14fa |
- # PKI IPv6 Configuration
|
|
|
ff14fa |
- config.add_section("Tomcat")
|
|
|
ff14fa |
- config.set("Tomcat", "pki_ajp_host", "::1")
|
|
|
ff14fa |
-
|
|
|
ff14fa |
# Generate configuration file
|
|
|
ff14fa |
with open(cfg_file, "wb") as f:
|
|
|
ff14fa |
config.write(f)
|
|
|
ff14fa |
--
|
|
|
ff14fa |
2.9.3
|
|
|
ff14fa |
|