On pe, 23 joulu 2016, Brian Candler wrote:
On 23/12/2016 09:47, Brian Candler wrote:
/etc/pki/pki-tomcat/ca/CS.cfg:ca.defaultOcspUri=http://ipa-ca.bar.example.com/ca/ocsp


However the installation process didn't actually create this DNS entry, so the ipa-ca hostname is not resolvable.

Aside: I think this was because ipatest.foo.example.com was only in /etc/hosts, not in the DNS. Installation message:

ipa : ERROR unable to resolve host name ipatest.foo.example.com. to IP address, ipa-ca DNS record will be incomplete

But if it had used gethostent() or similar, it would have worked:

# getent hosts ipatest.foo.example.com
100.64.2.3      ipatest.foo.example.com ipatest
ipa-ca used to be a CNAME, you cannot handle CNAME via /etc/hosts.
However, multiple replicas cannot me specified via CNAME, so we had to
fix https://fedorahosted.org/freeipa/ticket/3547.

The ipa-ca A record is now handled as part of the server upgrade which
also should be run at the very end of a normal install.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to