[Freeipa-devel] [PATCH] 1109 No client machine cert
Martin Kosek
mkosek at redhat.com
Fri Sep 5 13:17:10 UTC 2014
On 09/05/2014 03:15 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Fri, 05 Sep 2014, Martin Kosek wrote:
>>> On 09/04/2014 05:13 PM, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
>>>>>> No longer request and install a cert for the IPA client machine.
>>>>>>
>>>>>> rob
>>>>>
>>>>> The original plan was to keep generating the certificate, but in
>>>>> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
>>>>>
>>>>> I'm fine with either approach.
>>>>>
>>>>
>>>> The cert has never been used and is now actively causing issues in
>>>> RHEL-7 with systemd and kickstart. It could be made optional, and move
>>>> the location, but IMHO its time has come.
>>>>
>>>> rob
>>>
>>> One change that Rob's patch also do is that from now on, certmonger
>>> would not
>>> be enabled and running by default on client machines. It would only be
>>> enabled
>>> on IPA server.
>>>
>>> I am still not confident about the resolution to just stop generating the
>>> certificate, I was leaning more towards making it optional +
>>> generating to
>>> better database as Honza proposed.
>>>
>>> Simo, Alexander, what is your take on this?
>> I'm fine with making it optional. However, on client machine upgrades do
>> not stop and disable certmonger if it is tracking more than just the
>> host certificate.
>>
>
> Well, that is unrelated to this change. Should that be a separate ticket?
>
> rob
>
I see it as very related. If we choose to do this optionally, instead of
removing the code, we would do it conditionally (with different NSS database).
But so far, it seems we choose only really simply just remove the code, i.e. no
ticket needed.
Martin
More information about the Freeipa-devel
mailing list