Re: [Freeipa-users] [Fwd: [Freeipa-devel] script to proxy-ize a dogtag instance]
On 09/28/2011 11:36 PM, Ade Lee wrote: Cross-posting to freeipa-users. In addition, Adam determined that the following dirctives need to be enabled in /etc/httpd/conf.d/nss.conf : NSSRenegotiation on NSSRequireSafeNegotiation on Ade I have manually verified the files from reading your script, while cross referencing with the replies from Adam Young. I am still receiveing an error both in the webui and the cli: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Bad Request). Have you verified this script as working in another environment? ... Meaning there would be something wrong with the changes I've done manually along the way... I have done these changes on one IPA server only so far for testing, I don't see the any traffic going to the other IPA servers while I'm doing ipa cert-show or ipa host-disable. Does it need to be done on the IPA servers all to work successfully? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] [Fwd: [Freeipa-devel] script to proxy-ize a dogtag instance]
Cross-posting to freeipa-users. In addition, Adam determined that the following dirctives need to be enabled in /etc/httpd/conf.d/nss.conf : NSSRenegotiation on NSSRequireSafeNegotiation on Ade ---BeginMessage--- Hi, With recent changes, Dogtag instances in IPA now reside behind an Apache proxy and are accessed using ports 80 and 443. This is the default configuration for any newly created instances. Older instances that have been recently upgraded will need to run a script to upgrade the Dogtag configuration to use the Apache proxy. A script (pki_setup_proxy) is attached. It is essentially complete - only needing things like usage() and some cleanup. It has been through some minimal testing. I am posting it now to help users who are stuck to fix their existing instances. It will be delivered as part of pki-setup in the very near future. The script will modify the following files (making a backup of each as $filename.pre-proxy beforehand). /var/lib/pki-ca/conf/proxy.conf /var/lib/pki-ca/conf/CS.cfg /var/lib/pki-ca/conf/server.xml /var/lib/pki-ca/webapps/ca/WEB_INF/web.xml /var/lib/pki-ca/webappas/ca/ee/ca/ProfileSubmit.template And will log all actions in /var/log/pki-ca-proxy-setup.log * Instructions for IPA: 1. Run the script as follows (as root): chmod +x pki-setup-proxy ./pki-setup-proxy -pki_instance_root=/var/lib -pki_instance_name=pki-ca -subsystem_type=ca 2. Copy the proxy.conf file: cp /var/lib/pki-ca/conf/proxy.conf /etc/httpd/conf.d/ipa-pki-proxy.conf 3. Restart IPA. Please send me feedback if things don't work! Thanks, Ade pki-setup-proxy Description: Perl program ___ Freeipa-devel mailing list freeipa-de...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel---End Message--- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
