[Freeipa-users] Re: ipa-ca DNS record - ?

Thu, 31 Mar 2022 06:15:56 -0700 


On 31/03/2022 13:40, Florence Blanc-Renaud wrote:

Hi,


The command /ipa dns-update-system-records/ can be used to 
add the missing records. If you'd rather add them 
manually, the command can be run with the /--dry-run/ 
option and will display the expected records but will not 
perform any update.


flo


On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden via 
FreeIPA-users <[email protected]> wrote:


    lejeczek via FreeIPA-users wrote:
    > Hi guys.
    >
    > What is 'ipa-ca' for and what should it point to?
    > Also, should IPA change that record ever?
    >
    > Reason I ask - from the docs as I understand - it
    should point to all CA
    > servers in the domain, but it not happening.

    It is a generic name for the CAs initially for the
    OCSP and CRL
    endpoints. If a fixed hostname was stored there then
    if/when that server
    disappears, no more resolving OCSP.

    It is also used for ACME as a generic name that can be
    used across your
    infra.

    I suppose its possible that you may have some old
    enough servers that
    predate the ipa-ca name. I have a faint memory that
    servers marked as
    HIDDEN also don't have this entry.

    It's fine to manually add the missing record in this
    case. IIRC there is
    no task to seek out all CAs and add them.

    rob
    _______________________________________________


nice - 'ipa dns-update-system-records' - very useful.


I wonder if the fact the my 'ipa-ca' was "incomplete" might 
have something to do with ipa-client-install's

...
Successfully retrieved CA cert
...

Joining realm failed: JSON-RPC call failed: Peer certificate 
cannot be authenticated with given CA certificates

...


My setup is bit, well, awkward so it might be that but still 
- someone please decipher that error if you will.


many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to