You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host serving the CRL/OCSP when the cert on that host needs to be verified at itself.
I'm not sure why you'd particularly care though - reading the Apache configs and you should see that other than a couple of exceptions, all HTTP traffic is redirected to HTTPS. On 01/09/16 07:22, Sean Hogan wrote: > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not > found a concrete answer. I know the redhat docs indicate port 80 is > required bidirectional however I need to investigate if it is truly > needed. > > GUI only responds to 443 so not sure what else would be utilizing port > 80. I have seen some references that dogtag proxies its ports to 80 > and 443 but if the gui is running on 443 does that mean dogtag is > proxying via 443 only? Or is there a way to tell? Has anyone attempted > not opening port 80 from IPA Server to IPA Server and clients to IPA > server? > ipa-server-3.0.0-50.el6.1.x86_64 > > > > > Sean Hogan > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
