Invalid OCSP URI in IPA CA cert /etc/ipa/ca.crt

Issue

• When reading /etc/ipa/ca.crt from IPA server, invalid OCSP URI was found:

$ openssl x509 -in /etc/ipa/ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE.COM, CN=Certificate Authority
        Validity
            Not Before: Sep 23 10:18:13 2013 GMT
            Not After : Sep 23 10:18:13 2033 GMT
        Subject: O=EXAMPLE.COM, CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:db:df:06:c3:bc:ba:b6:7d:74:7c:f6:8d:36:dc:
                    1b:5c:99:df:03:69:21:01:db:bf:e2:67:9e:bb:f2:
                    83:2c:af:21:77:6f:3f:eb:9b:55:85:a2:fd:c8:61:
                    f5:f2:14:9e:a2:bc:c1:a9:8b:29:6e:a5:48:d7:ef:
                    f5:a4:fd:e5:4c:54:a8:ee:d2:ac:e7:ac:6e:3f:83:
                    dc:50:a8:39:55:d4:c4:79:d3:3c:82:4a:c6:7a:0f:
                    81:c0:00:1a:d5:03:bc:75:4f:8a:c0:08:1a:5d:79:
                    f0:f1:33:41:cd:f6:a9:69:11:ec:50:80:2c:43:29:
                    9e:41:10:41:c3:74:50:09:f4:c0:fa:d3:3a:bf:41:
                    1f:ef:e4:52:62:61:98:25:36:09:b2:36:d9:b6:10:
                    18:2e:8e:4a:db:08:45:f7:17:50:1a:61:67:bb:f3:
                    29:a6:20:2f:9a:ec:ce:8c:b3:0e:ed:39:3a:f2:16:
                    d1:58:9f:3c:03:6a:fc:2d:79:f6:84:35:aa:63:8d:
                    c6:e6:6c:5a:89:d2:a3:e5:84:b9:b0:db:27:07:db:
                    b4:16:9d:10:7d:da:f5:4a:29:fe:dd:df:d5:95:d6:
                    04:78:3e:95:34:e2:a1:13:f2:be:4f:48:94:ad:eb:
                    52:b5:fb:e0:71:82:a1:f8:ea:8d:6e:b0:1d:b9:6b:
                    a3:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:D8:0C:FF:CC:83:5B:85:DB:85:C6:E8:BF:86:96:4F:5D:5D:ED:C2:71

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                D8:0C:FF:CC:83:5B:85:DB:85:C6:E8:BF:86:96:4F:5D:5D:ED:C2:71
            Authority Information Access: 
                OCSP - URI:http://ipaserver1.example.com:80/ca/ocsp <<<====== this is an invalid URI

    Signature Algorithm: sha256WithRSAEncryption
         2f:92:ef:7b:de:2e:99:5a:97:13:d1:f7:3f:52:23:30:d4:4e:
         65:11:4c:38:d4:04:12:35:6f:4b:75:e9:c9:6d:88:9b:e5:5e:
         2b:28:89:6f:1a:99:a9:ef:1e:16:fd:28:18:41:e9:f5:45:3c:
         3e:12:1e:e7:af:de:cb:fb:6a:f8:e4:93:dd:31:45:44:f5:09:
         a0:14:0a:dc:08:bd:04:da:ee:e7:66:4e:4c:e6:48:3c:c4:c7:
         04:64:97:32:6a:71:c6:71:92:32:ff:c7:4e:d5:49:c9:6d:b4:
         f3:d5:df:35:1a:bc:33:8e:14:5f:e1:ed:ac:e3:f0:af:cb:41:
         f1:84:7a:ad:bc:76:3a:e6:ae:00:83:00:7b:18:cf:b5:95:b3:
         cf:1d:09:fc:1a:14:44:6e:b3:02:00:77:fe:9e:d4:c4:84:06:
         a8:0e:df:75:ff:32:c4:ef:ea:67:1a:04:02:d3:3f:57:63:37:
         f3:83:67:80:c4:40:33:fb:08:79:9c:01:b6:0f:78:af:27:12:
         6f:d3:b7:9f:08:6f:b3:05:1c:5d:a6:27:36:ca:a1:76:83:b6:
         47:b1:03:53:f6:d8:b3:1c:ad:2d:44:a9:6c:23:82:4b:e4:0f:
         4a:2e:05:78:44:4b:58:65:9d:1a:5e:6b:f6:04:eb:fe:91:15:
         c2:48:96:02

• From the above this line is noticed:

 Authority Information Access: 
 OCSP - URI:http://ipaserver1.example.com:80/ca/ocsp

• The server ipaserver1.example.com is not a part of the IPA cluster (anymore).
• The correct OCSP URI should be http://ipa-ca.example.com/ca/ocsp