rpms / ipa

Clone
Source Code
GIT

Files

  1.   b2aa39a344317a6d2f7eba466b187d418ddfc7d1
  2.   SOURCES
  3.   1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
Blob Blame History Raw 
From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 12 Jan 2017 18:17:15 +0100
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"

When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
    <Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.

https://fedorahosted.org/freeipa/ticket/6575

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 freeipa.spec.in                 | 4 ++--
 ipaserver/install/cainstance.py | 4 ----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -159,8 +159,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.4
-Requires: pki-kra >= 10.3.4
+Requires: pki-ca >= 10.3.5-11
+Requires: pki-kra >= 10.3.5-11
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
             config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
             config.set("CA", "pki_external_step_two", "True")
 
-        # PKI IPv6 Configuration
-        config.add_section("Tomcat")
-        config.set("Tomcat", "pki_ajp_host", "::1")
-
         # Generate configuration file
         with open(cfg_file, "wb") as f:
             config.write(f)
-- 
2.9.3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation