[Freeipa-users] crl url redirecting to https
Rob Crittenden
rcritten at redhat.com
Tue Nov 10 16:02:50 UTC 2015
Natxo Asenjo wrote:
> hi,
>
> I just noticed some stuff was not functioning properly and it's because
> the crl url is being redirected to https (centos 6.7).
>
>
> $ curl http://kdc01.unix.domain.tld/ipa/crl/
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>301 Moved Permanently</title>
> </head><body>
> <h1>Moved Permanently</h1>
> <p>The document has moved <a
> href="https://kdc01.unix.domain.tld/ipa/crl/">here</a>.</p>
> <hr>
> <address>Apache/2.2.15 (CentOS) Server at kdc01.unix.domain.tld Port
> 80</address>
> </body></html>
>
> This is ipa-rewrite.conf, it should not be happening, but it does:
>
> $ cat ipa-rewrite.conf
> # VERSION 3 - DO NOT REMOVE THIS LINE
>
> RewriteEngine on
>
> # By default forward all requests to /ipa. If you don't want IPA
> # to be the default on your web server comment this line out.
> RewriteRule ^/$ https://kdc01.unix.iriszorg.nl/ipa/ui [L,NC,R=301]
>
> # Redirect to the fully-qualified hostname. Not redirecting to secure
> # port so configuration files can be retrieved without requiring SSL.
> RewriteCond %{HTTP_HOST} !^kdc01.unix.iriszorg.nl
> <http://kdc01.unix.iriszorg.nl>$ [NC]
> RewriteRule ^/ipa/(.*) http://kdc01.unix.iriszorg.nl/ipa/$1 [L,R=301]
>
> # Redirect to the secure port if not displaying an error or retrieving
> # configuration.
> RewriteCond %{SERVER_PORT} !^443$
> RewriteCond %{REQUEST_URI} !^/ipa/(errors|config)
> RewriteRule ^/ipa/(.*) https://kdc01.unix.iriszorg.nl/ipa/$1
> [L,R=301,NC]
>
> Any ideas on how to fix this?
You should have a sections like these in /etc/httpd/conf.d/ipa.conf:
<Location "/ipa/crl">
SetHandler None
</Location>
...
# For CRL publishing
Alias /ipa/crl "/var/lib/ipa/pki-ca/publish"
<Directory "/var/lib/ipa/pki-ca/publish">
SetHandler None
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Allow from all
</Directory>
rob
More information about the Freeipa-users
mailing list