On 31/03/2022 13:40, Florence Blanc-Renaud wrote:
Hi,
The command /ipa dns-update-system-records/ can be used to
add the missing records. If you'd rather add them
manually, the command can be run with the /--dry-run/
option and will display the expected records but will not
perform any update.
flo
On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden via
FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> What is 'ipa-ca' for and what should it point to?
> Also, should IPA change that record ever?
>
> Reason I ask - from the docs as I understand - it
should point to all CA
> servers in the domain, but it not happening.
It is a generic name for the CAs initially for the
OCSP and CRL
endpoints. If a fixed hostname was stored there then
if/when that server
disappears, no more resolving OCSP.
It is also used for ACME as a generic name that can be
used across your
infra.
I suppose its possible that you may have some old
enough servers that
predate the ipa-ca name. I have a faint memory that
servers marked as
HIDDEN also don't have this entry.
It's fine to manually add the missing record in this
case. IIRC there is
no task to seek out all CAs and add them.
rob
_______________________________________________
nice - 'ipa dns-update-system-records' - very useful.
I wonder if the fact the my 'ipa-ca' was "incomplete" might
have something to do with ipa-client-install's
...
Successfully retrieved CA cert
...
Joining realm failed: JSON-RPC call failed: Peer certificate
cannot be authenticated with given CA certificates
...
My setup is bit, well, awkward so it might be that but still
- someone please decipher that error if you will.
many thanks, L.