On Thu, 20 Mar 2014, Martin Kosek wrote:
PKI change done in ticket https://fedorahosted.org/pki/ticket/816
requires the PKI Clone's SSL Server certificate to be issued by
it's associated PKI master.

Allow this call on IPA master.

https://fedorahosted.org/freeipa/ticket/4265

---

We will need this change in upcoming FreeIPA 3.3.5 which would be then needed
both in F19 and F20 to make the F20 cloning work again.

Martin

From 3cbeb946d72c6d3136ad8ae75d8f6719e6db06f4 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 20 Mar 2014 09:34:53 +0100
Subject: [PATCH] Proxy PKI clone /ca/ee/ca/profileSubmit URI

PKI change done in ticket https://fedorahosted.org/pki/ticket/816
requires the PKI Clone's SSL Server certificate to be issued by
it's associated PKI master.

Allow this call on IPA master.

https://fedorahosted.org/freeipa/ticket/4265
---
install/conf/ipa-pki-proxy.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
6f0463242b75a58cf63a38e62c23fa372aeacf64..224cdd45b5b5f72671a179570fd15772fe8cfaab
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,9 +1,9 @@
-# VERSION 3 - DO NOT REMOVE THIS LINE
+# VERSION 4 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
-<LocationMatch 
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
+<LocationMatch 
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:$DOGTAG_PORT

ACK, straightforward fix.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to