The cert-find backend is hardcoded to use port 8080 in dogtag.py. If the CA is on another master then port 8080 needs to be open in order to make a connection. This needs to be documented, perhaps on the ipa-server-install output.
This seems to also affect displaying a user (timing out) but I didn't investigate that part.
I checked multiple times in the GUI, and there is usually a never ending wheel, and upon refresh the page turn blanks.
I can see that the cert_find call in the apache error logs is not made.
After opening port 8080, it works smoothly and expected.
Same behaviour using ipa cert-find CLI.
IMO we should change cert-find to use 8443, which should already be open (and hunt down any other usage of 8080 from the framework).
cert-find should not use ports 8080 and 8443 on a remote machine. These ports should only be used for communication with a local Dogtag instance. For communication with a remote Dogtag, cert-find should go over Apache mod_proxy.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to todo - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.2
Metadata Update from @fbarreto: - Issue assigned to fbarreto
PR: https://github.com/freeipa/freeipa/pull/874
master:
ipa-4-5:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
I see that you are using port 80. Why are you sticking to insecure HTTP? All communication except CRL and OCSP should be secured by TLS or GSSAPI. CRL and OCSP are secured by a signature.
It is a search for public certs. I didn't see the point in adding TLS overhead to that.
Let's address it as a separate issue; 8080 was not using TLS after all.
I created #7027 to track the issue.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1502533 (was: todo)
Issue linked to Bugzilla: Bug 1502533
Login to comment on this ticket.