Nalin Dahyabhai wrote:
This is a stab at fixing #1252 - teaching the RA to handle cases where
the local server isn't a CA.
When the RA is about to submit a signing request to a CA, it currently
assumes that the CA is colocated. This modifies its behavior so that
the first time it needs to submit a signing request, it:
1. Checks if the configured ca_host is actually a CA. If it is, use it.
2. Checks if the local host (if it's not also the configured ca_host)
is a CA. If it is, use it.
3. Checks if there are any CAs in the domain. If there are, select one
of them at random and use it.
4. Give up, behave as before, and let the error we previously would
have gotten for trying to submit a signing request to a non-CA happen.
Ack, pushed to master.
Freeipa-devel mailing list