[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.
Alexander Bokovoy
abokovoy at redhat.com
Fri Dec 23 10:31:00 UTC 2016
On pe, 23 joulu 2016, Brian Candler wrote:
>On 23/12/2016 09:47, Brian Candler wrote:
>>/etc/pki/pki-tomcat/ca/CS.cfg:ca.defaultOcspUri=http://ipa-ca.bar.example.com/ca/ocsp
>>
>>
>>However the installation process didn't actually create this DNS
>>entry, so the ipa-ca hostname is not resolvable.
>
>Aside: I think this was because ipatest.foo.example.com was only in
>/etc/hosts, not in the DNS. Installation message:
>
>ipa : ERROR unable to resolve host name
>ipatest.foo.example.com. to IP address, ipa-ca DNS record will be
>incomplete
>
>But if it had used gethostent() or similar, it would have worked:
>
># getent hosts ipatest.foo.example.com
>100.64.2.3 ipatest.foo.example.com ipatest
ipa-ca used to be a CNAME, you cannot handle CNAME via /etc/hosts.
However, multiple replicas cannot me specified via CNAME, so we had to
fix https://fedorahosted.org/freeipa/ticket/3547.
The ipa-ca A record is now handled as part of the server upgrade which
also should be run at the very end of a normal install.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list