diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2017-01-12 18:17:15 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-02-17 14:58:06 +0100 |
| commit | eaa87c75b9f57500265b2dc9480b996b2b92e1e3 (patch) | |
| tree | 5d756bdeb443c6f199502f92a9790556ded5d984 | |
| parent | 98bf0cc9663ac281247ac8d9ee8488e3ab8102eb (diff) | |
| download | freeipa-eaa87c75b9f57500265b2dc9480b996b2b92e1e3.tar.gz freeipa-eaa87c75b9f57500265b2dc9480b996b2b92e1e3.tar.xz freeipa-eaa87c75b9f57500265b2dc9480b996b2b92e1e3.zip | |
Do not configure PKI ajp redirection to use "::1"
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
| -rw-r--r-- | freeipa.spec.in | 4 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 4 |
2 files changed, 2 insertions, 6 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index be32bf88b..5c835ca29 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -250,8 +250,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.5-6 -Requires: pki-kra >= 10.3.5-6 +Requires: pki-ca >= 10.3.5-11 +Requires: pki-kra >= 10.3.5-11 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: policycoreutils >= 2.1.12-5 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 52485b97b..3c86b9154 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -596,10 +596,6 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") - # PKI IPv6 Configuration - config.add_section("Tomcat") - config.set("Tomcat", "pki_ajp_host", "::1") - # Generate configuration file with open(cfg_file, "w") as f: config.write(f) |