Configure PKI ajp redirection to use "localhost" instead of "::1" #395
Conversation
|
The fix solves ticket #6575, but I once again encountered ticket #4291: In pure IPv6 environments, the CA fails to start at the end of IPA server installation. I'm not sure why that happens, since Flo is investigating and trying to reproduce the issue. |
|
Bad news, you are out of luck. Dogtag uses its own LDAP connector, which in turn uses JSS (NSS bindings for Java) to provide TLS for LDAP. SSLSocket from The experimental branch of JSS has IPv6 support, https://hg.mozilla.org/projects/jss/file/c76470016016/org/mozilla/jss/ssl/SSLSocket.c#l593, though. |
|
I have created ticket https://fedorahosted.org/pki/ticket/2575 to track the issue. |
|
Hi @tomaskrizek, |
|
Btw our goal is not to make pure IPv6 working - this was not tested even before the regression. |
|
Possible ways how to fix upgrades are outlined in https://bugzilla.redhat.com/show_bug.cgi?id=1398600#c48 and comment 49. |
|
Please wait before merging this PR. @pvoborni Endi suggests 2 possible strategies for the upgrade fix: either in IPA or in PKI. We need to pick one, and depending on the choice modify this PR accordingly. |
|
@tomaskrizek Upstream doesn't support IPv6. @nkinder told me that our Fedora packages contain several patches. The patches are not yet in upstream. One of the patches adds IPv6 support. I have not checked if the patch provides IPv6 for both client and server sockets or just for SSLSocket. |
|
This PR has been modified to be consistent with PKI fix for 2570. PKI now defines by default the AJP redirection to "localhost", meaning that we do not need any more to override this setting. Upgrade is also handled by PKI. |
|
Removed the ACK label since this is not yet reviewed. |
|
Since the bug is completely fixed on the PKI side, shouldn't we bump the Installation in IPV6-only environment will not work without the updated PKI, since 127.0.0.1 was used as a default before 3a49b9b3738befc03914b0a96aad61f9650fb935. |
|
Yes, but in different patch please. PKI with the fix was not released yet. So it should not block review of this patch. We can leave the ticket open until it is bumped. |
|
I submitted this patch to BZ#1398600 and BZ#1416481. Waiting for the PKI release and bump of |
|
@pvoborni, there is no benefit in bumping |
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
|
Hi, |
|
Fixed upstream |
|
Please create a backport PR for IPA 4.4.x |
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica. Using "localhost" instead works with IPv4 or IPv6.
https://fedorahosted.org/freeipa/ticket/6575