Flo's analysis of BZ https://bugzilla.redhat.com/show_bug.cgi?id=2022483
Previously, a replica installation did not require port 8443 to be opened on the master. With the change b01547d Load dogtag RA plugin in installers so profiles can be loaded, the replica installation now calls the method migrate_profiles_to_ldap which is using port 8443 to the master (the CA is not completely configured on the replica).
My understanding was that 8443 was intended for local use only (for PKI administration purpose), so we either need to switch to port 443 (if possible), call the local dogtag instance on 8443 or update the doc wrt port requirements.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2022483
Metadata Update from @rcritten: - Issue assigned to rcritten
My thinking is that we can just use port 443 at all times, but testing all the permutations to confirm this is quite time consuming.
With a 7.9 initial server this works: - Straight ipa-replica-install - promotion of client with ipa-replica-install
Will test with 8.6 and 9.0 against 7.9 as well.
Also need to test 8.x -> 8.x, 8.x server 9.0 install/promotion, and perhaps more.
Metadata Update from @rcritten: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6157
My initial attempt was to drop the override port. In all my testing as a replica this worked fine, between 8.5, 8.6 and 9.0 against a 7.9 server.
But installing as an initial server fails because Apache hasn't been set up yet.
Back to the drawing board.
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2022483, https://bugzilla.redhat.com/show_bug.cgi?id=2050540 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2022483)
Login to comment on this ticket.