You need to serve CRLs and OCSP via HTTP to avoid clients failing to
verify the cert of the host serving the CRL/OCSP when the cert on that
host needs to be verified at itself.

I'm not sure why you'd particularly care though - reading the Apache
configs and you should see that other than a couple of exceptions, all
HTTP traffic is redirected to HTTPS.

On 01/09/16 07:22, Sean Hogan wrote:
>
> Hi all,
>
> Been reading a lot about Port 80 for IPA and firewalls but have not
> found a concrete answer. I know the redhat docs indicate port 80 is
> required bidirectional however I need to investigate if it is truly
> needed.
>
> GUI only responds to 443 so not sure what else would be utilizing port
> 80. I have seen some references that dogtag proxies its ports to 80
> and 443 but if the gui is running on 443 does that mean dogtag is
> proxying via 443 only? Or is there a way to tell? Has anyone attempted
> not opening port 80 from IPA Server to IPA Server and clients to IPA
> server?
> ipa-server-3.0.0-50.el6.1.x86_64
>
>
>
>
> Sean Hogan
>
>
>
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to