URL: https://github.com/freeipa/freeipa/pull/788 Author: flo-renaud Title: #788: ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname Action: opened
PR body: """ During ipa-kra-install, the installer prepares a configuration file provided to pkispawn. This configuration file defines pki_security_domain_hostname=(first master) but when we are installing a clone, it should be set to the local hostname instead, see man page pki_default.cfg: pki_security_domain_hostname, pki_security_domain_https_port Location of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. When pki_security_domain_hostname points to the 1st master, and this first master is decommissioned, ipa-kra-install fails on new replicas because pkispawn tries to connect to this (non-existing) host. https://pagure.io/freeipa/issue/6895 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/788/head:pr788 git checkout pr788
From 4a3f1cb7c18e597d4e128b4da1a1676d43411381 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 11 May 2017 14:53:09 +0200 Subject: [PATCH] ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname During ipa-kra-install, the installer prepares a configuration file provided to pkispawn. This configuration file defines pki_security_domain_hostname=(first master) but when we are installing a clone, it should be set to the local hostname instead, see man page pki_default.cfg: pki_security_domain_hostname, pki_security_domain_https_port Location of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance. When pki_security_domain_hostname points to the 1st master, and this first master is decommissioned, ipa-kra-install fails on new replicas because pkispawn tries to connect to this (non-existing) host. https://pagure.io/freeipa/issue/6895 --- ipaserver/install/krainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index abb8189..cdd25b9 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -252,7 +252,7 @@ def __spawn_instance(self): os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid) # Security domain registration - config.set("KRA", "pki_security_domain_hostname", self.master_host) + config.set("KRA", "pki_security_domain_hostname", self.fqdn) config.set("KRA", "pki_security_domain_https_port", "443") config.set("KRA", "pki_security_domain_user", self.admin_user) config.set("KRA", "pki_security_domain_password",
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code