On ke, 29 maalis 2017, Chris Herdt wrote:
I'm curious as to why HTTP (port 80) is needed for IPA server replication, particularly since HTTPS (port 443) is also used. What unencrypted data is exchanged?
Because you need to access OCSP endpoint without going into chicken and egg problem of trusting or not a certificate:
# openssl x509 -in /etc/ipa/ca.crt -noout -ocsp_uri http://ipa-ca.example.com/ca/ocsp See https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
