On 2016-07-01 10:48, Petr Spacek wrote: > On 1.7.2016 10:42, Christian Heimes wrote: >> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a >> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus >> returns OK. The ca_status() function defaults to api.env.ca_host as >> host. >> >> On a replica without CA ca_host is a remote host (e.g. master's >> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080, >> which might be blocked by a firewall. >> >> https://fedorahosted.org/freeipa/ticket/6016 > > Interesting. How it happens that replica without CA is calling > RedHatCAService? > > Also, why replica should be waiting for CA if it is not installed? > > I'm confused.
There is a hint in the last sentence: ipa-ca-install The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install doesn't wait for the local Dogtag to come up but connects to a remote Dogtag to check if it's up. It uses 8443 or 8080, which might be blocked. In my test setup I have both ports blocked so ipa-ca-install never succeeds. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
