[Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance
Petr Spacek
pspacek at redhat.com
Fri Jul 1 08:59:02 UTC 2016
On 1.7.2016 10:55, Christian Heimes wrote:
> On 2016-07-01 10:48, Petr Spacek wrote:
>> On 1.7.2016 10:42, Christian Heimes wrote:
>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>> host.
>>>
>>> On a replica without CA ca_host is a remote host (e.g. master's
>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>> which might be blocked by a firewall.
>>>
>>> https://fedorahosted.org/freeipa/ticket/6016
>>
>> Interesting. How it happens that replica without CA is calling RedHatCAService?
>>
>> Also, why replica should be waiting for CA if it is not installed?
>>
>> I'm confused.
>
> There is a hint in the last sentence: ipa-ca-install
>
> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
> doesn't wait for the local Dogtag to come up but connects to a remote
> Dogtag to check if it's up. It uses 8443 or 8080, which might be
> blocked. In my test setup I have both ports blocked so ipa-ca-install
> never succeeds.
Oh, I missed that, thanks!
Isn't the root cause that ipa.env.ca_host does not get updated during
ipa-ca-install?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list