subject:"Re\\\: \\\[Freeipa\\\-users\\\] crl url redirecting to https"

Re: [Freeipa-users] crl url redirecting to https

2015-11-10 Thread Rob Crittenden

Natxo Asenjo wrote:
> hi,
> 
> I just noticed some stuff was not functioning properly and it's because
> the crl url is being redirected to https (centos 6.7).
> 
> 
> $ curl http://kdc01.unix.domain.tld/ipa/crl/
> 
> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved  href="https://kdc01.unix.domain.tld/ipa/crl/;>here.
> 
> Apache/2.2.15 (CentOS) Server at kdc01.unix.domain.tld Port
> 80
> 
> 
> This is ipa-rewrite.conf, it should not be happening, but it does:
> 
> $ cat ipa-rewrite.conf
> # VERSION 3 - DO NOT REMOVE THIS LINE
> 
> RewriteEngine on
> 
> # By default forward all requests to /ipa. If you don't want IPA
> # to be the default on your web server comment this line out.
> RewriteRule ^/$ https://kdc01.unix.iriszorg.nl/ipa/ui [L,NC,R=301]
> 
> # Redirect to the fully-qualified hostname. Not redirecting to secure
> # port so configuration files can be retrieved without requiring SSL.
> RewriteCond %{HTTP_HOST}!^kdc01.unix.iriszorg.nl
> $ [NC]
> RewriteRule ^/ipa/(.*)  http://kdc01.unix.iriszorg.nl/ipa/$1 [L,R=301]
> 
> # Redirect to the secure port if not displaying an error or retrieving
> # configuration.
> RewriteCond %{SERVER_PORT}  !^443$
> RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config)
> RewriteRule ^/ipa/(.*)  https://kdc01.unix.iriszorg.nl/ipa/$1
> [L,R=301,NC]
> 
> Any ideas on how to fix this?

You should have a sections like these in /etc/httpd/conf.d/ipa.conf:


  SetHandler None

...
# For CRL publishing
Alias /ipa/crl "/var/lib/ipa/pki-ca/publish"

  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all


rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] crl url redirecting to https

2015-11-10 Thread Natxo Asenjo

hi,

On Tue, Nov 10, 2015 at 5:02 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:> Any ideas on how to fix this?
>
> You should have a sections like these in /etc/httpd/conf.d/ipa.conf:
>
> 
>   SetHandler None
> 
> ...
> # For CRL publishing
> Alias /ipa/crl "/var/lib/ipa/pki-ca/publish"
> 
>   SetHandler None
>   AllowOverride None
>   Options Indexes FollowSymLinks
>   Satisfy Any
>   Allow from all
> 
>

yes, it's all there. I restarted httpd just in case, but it remains the
same. I get a 301 moved permantently to https.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] crl url redirecting to https

2015-11-10 Thread Natxo Asenjo

but going back to ipa-rewrite.conf, these 2 seem contradictory:

# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}!^kdc01.unix.iriszorg.nl$ [NC]
RewriteRule ^/ipa/(.*)  http://kdc01.unix.iriszorg.nl/ipa/$1 [L,R=301]

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT}  !^443$
RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config)
RewriteRule ^/ipa/(.*)  https://kdc01.unix.iriszorg.nl/ipa/$1
[L,R=301,NC]

so I modified

RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config)

with

RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)

and now it works.

Is this ok?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] crl url redirecting to https

Re: [Freeipa-users] crl url redirecting to https

Re: [Freeipa-users] crl url redirecting to https

3 matches

Site Navigation

Mail list logo

Footer information