freeipa provisioner should follow redirects

guilhem / freeipa-issuer

A cert-manager external issuer for FreeIPA

Apache License 2.0

32 stars 14 forks source link

freeipa provisioner should follow redirects #23

Open bd-spl opened 1 year ago

bd-spl commented 1 year ago

freeipa.go code uses low level http.transport which doesn't follow redirects

https://github.com/guilhem/freeipa-issuer/blob/master/provisionners/freeipa.go#L32 https://github.com/golang/go/blob/master/src/net/http/transport.go#L71

So when it tries to connect IPA server via unencrypted HTTP and by chance gets redirested to

https://ipa.beer.best/ipa/session/login_password , it fails with HTTP 400

bd-spl commented 1 year ago

but I can be wrong, it seems there is http.Client used down the road...

then I'm not sure why I see HTTP 400 in the manager logs, like:

{"level":"error","ts":1670487898.6010566,"logger":"controller.issuer","msg":"Reconciler error","reconciler group":"certmanager.freeipa.org","reconciler kind":"Issuer","name":"issuer-sample-creds","namespace":"foo","error":"initial login falied: unexpected http status code: 400"

bitnik commented 5 months ago

@bd-spl did you find out what was the reason? We are getting the same error.

bd-spl commented 5 months ago

I've added a firewall rule to allow egress traffic to port 80, so that cert-manager could reach out freeipa servers by HTTP (tcp:80). I believe this is fine, as it gets redirected to HTTPS afterwards