RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1735692 - Fix section about CRL generation
Summary: Fix section about CRL generation
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Linux_Domain_Identity_Management_Guide
Version: 7.7
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 7.8
Assignee: Marc Muehlfeld
QA Contact: ipa-qe
Vendula Ferschmannova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-01 09:30 UTC by Florence Blanc-Renaud
Modified: 2019-08-26 08:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-09 11:58:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Florence Blanc-Renaud 2019-08-01 09:30:38 UTC 
Document URL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#migrate-6-7-transition-ca

Section Number and Name: 8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server

Describe the issue: One of the steps in "Move CRL generation from the original rhel6.example.com CA master to rhel7.example.com" is wrong. Step 2 states:
---
On rhel6.example.com, configure Apache to redirect CRL requests to the new master, rhel7.example.com. 
 Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file. Uncomment the RewriteRule argument, and replace the server host name with the rhel7.example.com host name in the server URL:

RewriteRule ^/ipa/crl/MasterCRL.bin https://rhel7.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
---


Suggestions for improvement: It should instead state:
On rhel6.example.com, configure Apache to redirect CRL requests. 
 Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file. Uncomment the RewriteRule argument:

RewriteRule ^/ipa/crl/MasterCRL.bin https://rhel6.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

Additional information: The admin does not need to modify the server host name as it should point to the local host. When the rewrite rule is enabled, the CRL  is obtained from the local Certificate System server instead of from a local file.
Comment 2 Florence Blanc-Renaud 2019-08-01 11:09:38 UTC 
The section 6.5.2.2. Changing Which Server Generates CRLs also needs to be updated:

Document URL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/server-roles#promote-change-crl-gen

Section Number and Name: 6.5.2.2. Changing Which Server Generates CRLs

Describe the issue: Step 4 may be misleading. It currently states:
---
 Configure Apache to redirect CRL requests to the new master. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file, and uncomment the RewriteRule argument:

# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin https://server.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

----

Suggestions for improvement: it should instead state:
----
 Configure Apache to redirect CRL requests to the local Certificate System server. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file, and uncomment the RewriteRule argument:

# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin https://server.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

----
Comment 3 Marc Muehlfeld 2019-08-09 11:58:32 UTC 
I changed the text as suggested. The update is now available on the Customer Portal:

6.5.2.2. Changing Which Server Generates CRLs
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#promote-change-crl-gen

8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#migrate-6-7-transition-ca
Comment 4 Florence Blanc-Renaud 2019-08-26 08:35:29 UTC 
Modifications checked, LGTM. Thanks for the update!
Note You need to log in before you can comment on or make changes to this bug.