[Freeipa-devel] [PATCH] 464 Proxy PKI clone /ca/ee/ca/profileSubmit URI
Alexander Bokovoy
abokovoy at redhat.com
Sun Mar 23 21:35:15 UTC 2014
On Thu, 20 Mar 2014, Martin Kosek wrote:
>PKI change done in ticket https://fedorahosted.org/pki/ticket/816
>requires the PKI Clone's SSL Server certificate to be issued by
>it's associated PKI master.
>
>Allow this call on IPA master.
>
>https://fedorahosted.org/freeipa/ticket/4265
>
>---
>
>We will need this change in upcoming FreeIPA 3.3.5 which would be then needed
>both in F19 and F20 to make the F20 cloning work again.
>
>Martin
>From 3cbeb946d72c6d3136ad8ae75d8f6719e6db06f4 Mon Sep 17 00:00:00 2001
>From: Martin Kosek <mkosek at redhat.com>
>Date: Thu, 20 Mar 2014 09:34:53 +0100
>Subject: [PATCH] Proxy PKI clone /ca/ee/ca/profileSubmit URI
>
>PKI change done in ticket https://fedorahosted.org/pki/ticket/816
>requires the PKI Clone's SSL Server certificate to be issued by
>it's associated PKI master.
>
>Allow this call on IPA master.
>
>https://fedorahosted.org/freeipa/ticket/4265
>---
> install/conf/ipa-pki-proxy.conf | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
>index 6f0463242b75a58cf63a38e62c23fa372aeacf64..224cdd45b5b5f72671a179570fd15772fe8cfaab 100644
>--- a/install/conf/ipa-pki-proxy.conf
>+++ b/install/conf/ipa-pki-proxy.conf
>@@ -1,9 +1,9 @@
>-# VERSION 3 - DO NOT REMOVE THIS LINE
>+# VERSION 4 - DO NOT REMOVE THIS LINE
>
> ProxyRequests Off
>
> # matches for ee port
>-<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
>+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient none
> ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ACK, straightforward fix.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list