ACME uses nonce values to prevent replay attacks. Since the ipa-ca name can go to any of the IPA servers in order to verify the nonce the servers need to know the value that was set which relies on replication. Sometimes the client is faster than replication so a request can fail.
The PKI team addressed this in upstream PR https://github.com/dogtagpki/pki/pull/3435
A new option was added, baseURL, so that upon discovery the ACME server returns the real hostname to bind the client to it.
We can add support now even prior to the upstream builds being available and the option will be ignored in the config file. Once the updated build is available then it should just work(tm).
https://github.com/freeipa/freeipa/pull/5531
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1928900
Issue linked to Bugzilla: Bug 1928900
Login to comment on this ticket.