On 2016-07-01 10:59, Petr Spacek wrote: > On 1.7.2016 10:55, Christian Heimes wrote: >> On 2016-07-01 10:48, Petr Spacek wrote: >>> On 1.7.2016 10:42, Christian Heimes wrote: >>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a >>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus >>>> returns OK. The ca_status() function defaults to api.env.ca_host as >>>> host. >>>> >>>> On a replica without CA ca_host is a remote host (e.g. master's >>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080, >>>> which might be blocked by a firewall. >>>> >>>> https://fedorahosted.org/freeipa/ticket/6016 >>> >>> Interesting. How it happens that replica without CA is calling >>> RedHatCAService? >>> >>> Also, why replica should be waiting for CA if it is not installed? >>> >>> I'm confused. >> >> There is a hint in the last sentence: ipa-ca-install >> >> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install >> doesn't wait for the local Dogtag to come up but connects to a remote >> Dogtag to check if it's up. It uses 8443 or 8080, which might be >> blocked. In my test setup I have both ports blocked so ipa-ca-install >> never succeeds. > > Oh, I missed that, thanks! > > Isn't the root cause that ipa.env.ca_host does not get updated during > ipa-ca-install?
Been there, tried it, didn't work: https://fedorahosted.org/freeipa/ticket/6016#comment:1 It just doesn't make sense that RedHatCAService should ever check a remote instance. The rest of the class is about the local systemd service. As soon as we have sd_notify https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd to wait for Dogtag.
Description: OpenPGP digital signature