lejeczek via FreeIPA-users wrote: > Hi guys. > > What is 'ipa-ca' for and what should it point to? > Also, should IPA change that record ever? > > Reason I ask - from the docs as I understand - it should point to all CA > servers in the domain, but it not happening.
It is a generic name for the CAs initially for the OCSP and CRL endpoints. If a fixed hostname was stored there then if/when that server disappears, no more resolving OCSP. It is also used for ACME as a generic name that can be used across your infra. I suppose its possible that you may have some old enough servers that predate the ipa-ca name. I have a faint memory that servers marked as HIDDEN also don't have this entry. It's fine to manually add the missing record in this case. IIRC there is no task to seek out all CAs and add them. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure