rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity
fe5c3c292a
ipa/0101-Replica-Request-cert-for-DoT-before-setting-up-bind.patch
Florence Blanc-Renaud a96d03c543 ipa-4.12.2-19 
- Resolves: RHEL-100450 eDNS: multiple issues during encrypted DNS setup
- Resolves: RHEL-89907 Privilege escalation from host to domain admin in FreeIPA
- Resolves: RHEL-99315 Include latest fixes in python3-ipatests package
- Resolves: RHEL-98565 ipa-idrange-fix: 'Env' object has no attribute 'basedn'
- Resolves: RHEL-96920 Nightly test failure (rawhide) in test_trust.py::TestTrust::test_server_option_with_unreachable_ad
- Resolves: RHEL-31907 kdb: support storing and retrieving multiple master keys

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2025-06-30 11:07:39 +02:00

60 lines
2.3 KiB
Diff
Raw Blame History

From f4cbea00fde8dada84bfd1262b5271035d3ca7a4 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 12 Jun 2025 18:34:49 +0200
Subject: [PATCH] Replica: Request cert for DoT before setting up bind
Deploying a replica with DNS support using an IPA server DNS with DoT
fails while setting up DNS over TLS. The request for the certificate for
DoT using IPA CA is done after the DNS server for the replica is configured.
The nameserver in /etc/resolv.conf has been changed to 127.0.0.1, but
unbound was not yet configured as a forwarder.
The solution is to move the cert request before the DNS server
configuration. The unbound config from the client deployment is still
working at that moment.
Fixes: https://pagure.io/freeipa/issue/9808
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dns.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index ccec9d8019a250a275cbfac5a360fc3046bcb69c..9740faeddb244a56b2dc8a274ff82158f6dd2204 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -114,7 +114,7 @@ def _disable_dnssec():
conn.update_entry(entry)
-def _setup_dns_over_tls(options):
+def _request_cert_for_dns_over_tls(options):
if os.path.isfile(paths.IPA_CA_CRT) and not options.dns_over_tls_cert:
# request certificate for DNS over TLS, using IPA CA
cert = paths.BIND_DNS_OVER_TLS_CRT
@@ -128,6 +128,8 @@ def _setup_dns_over_tls(options):
constants.NAMED_USER.chown(cert, gid=constants.NAMED_GROUP.gid)
constants.NAMED_USER.chown(key, gid=constants.NAMED_GROUP.gid)
+
+def _setup_dns_over_tls(options):
# setup and enable Unbound as resolver
forward_addrs = ["# forward-addr: specify here forwarders"]
if options.dot_forwarders:
@@ -435,6 +437,10 @@ def install(standalone, replica, options, api=api):
"and IPA CA is not present."
)
+ if options.dns_over_tls:
+ print("Request certificate for DNS over TLS, using IPA CA")
+ _request_cert_for_dns_over_tls(options)
+
bind = bindinstance.BindInstance(fstore, api=api)
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
options.forwarders, options.forward_policy,
--
2.50.0
Reference in New Issue View Git Blame Copy Permalink