On 23/12/2016 10:31, Alexander Bokovoy wrote:
ipa-ca used to be a CNAME, you cannot handle CNAME via /etc/hosts.
However, multiple replicas cannot me specified via CNAME, so we had to
fix https://fedorahosted.org/freeipa/ticket/3547.
Absolutely - I have no problem with ipa-ca being real A record(s)
pointing to the server itself.
All I'm saying is that at installation time, it already knew the IP
address of the server - by local hostname resolution, and because
ipa-server-install asks you to list the IP addresses of the server
explicitly.
> The ipa-ca A record is now handled as part of the server upgrade which
> also should be run at the very end of a normal install.
Are you are supposed to manually run "ipa-server-upgrade" even after a
clean install?
I've just tested that, and yes, one of the steps is:
...
[Add missing CA DNS records]
Updating DNS system records
<< pauses here >>
unable to resolve host name ipatest.foo.example.com. to IP address,
ipa-ca DNS record will be incomplete
...
So you're right: that would have fixed it *if* I'd created the
foo.example.com zone first, and added the host to it, which in real life
I would have done (since other hosts must be able to resolve the IPA
server's hostname)
I already opened https://fedorahosted.org/freeipa/ticket/6579 which
suggested using local resolution, e.g. via gethostent(). But feel free
to close it if you don't think this is needed.
Regards,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project