PKI change done in ticket https://fedorahosted.org/pki/ticket/816 requires the PKI Clone's SSL Server certificate to be issued by it's associated PKI master.
Allow this call on IPA master. https://fedorahosted.org/freeipa/ticket/4265 --- We will need this change in upcoming FreeIPA 3.3.5 which would be then needed both in F19 and F20 to make the F20 cloning work again. Martin
From 3cbeb946d72c6d3136ad8ae75d8f6719e6db06f4 Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Thu, 20 Mar 2014 09:34:53 +0100 Subject: [PATCH] Proxy PKI clone /ca/ee/ca/profileSubmit URI PKI change done in ticket https://fedorahosted.org/pki/ticket/816 requires the PKI Clone's SSL Server certificate to be issued by it's associated PKI master. Allow this call on IPA master. https://fedorahosted.org/freeipa/ticket/4265 --- install/conf/ipa-pki-proxy.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 6f0463242b75a58cf63a38e62c23fa372aeacf64..224cdd45b5b5f72671a179570fd15772fe8cfaab 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,9 +1,9 @@ -# VERSION 3 - DO NOT REMOVE THIS LINE +# VERSION 4 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port -<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> +<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
