[Freeipa-devel] [PATCH] 1109 No client machine cert
Rob Crittenden
rcritten at redhat.com
Fri Sep 5 13:26:55 UTC 2014
Martin Kosek wrote:
> On 09/05/2014 03:15 PM, Rob Crittenden wrote:
>> Alexander Bokovoy wrote:
>>> On Fri, 05 Sep 2014, Martin Kosek wrote:
>>>> On 09/04/2014 05:13 PM, Rob Crittenden wrote:
>>>>> Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
>>>>>>> No longer request and install a cert for the IPA client machine.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> The original plan was to keep generating the certificate, but in
>>>>>> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
>>>>>>
>>>>>> I'm fine with either approach.
>>>>>>
>>>>>
>>>>> The cert has never been used and is now actively causing issues in
>>>>> RHEL-7 with systemd and kickstart. It could be made optional, and move
>>>>> the location, but IMHO its time has come.
>>>>>
>>>>> rob
>>>>
>>>> One change that Rob's patch also do is that from now on, certmonger
>>>> would not
>>>> be enabled and running by default on client machines. It would only be
>>>> enabled
>>>> on IPA server.
>>>>
>>>> I am still not confident about the resolution to just stop generating the
>>>> certificate, I was leaning more towards making it optional +
>>>> generating to
>>>> better database as Honza proposed.
>>>>
>>>> Simo, Alexander, what is your take on this?
>>> I'm fine with making it optional. However, on client machine upgrades do
>>> not stop and disable certmonger if it is tracking more than just the
>>> host certificate.
>>>
>>
>> Well, that is unrelated to this change. Should that be a separate ticket?
>>
>> rob
>>
>
> I see it as very related. If we choose to do this optionally, instead of
> removing the code, we would do it conditionally (with different NSS database).
I'd prefer to remove it altogether and potentially add it back
conditionally if anyone notices.
> But so far, it seems we choose only really simply just remove the code, i.e. no
> ticket needed.
Alexander is pointing out that we disable certmonger at the end of
ipa-client-install and this is not good if certmonger is tracking
anything else (IPA or otherwise). This is a good point but not related
to whether we issue and track a cert ourselves.
In fact, to expand on his concerns, it is probably wise to do something
similar to what we do in ipa-server-install during uninstall where we
list the still-tracked certs for further investigation.
rob
More information about the Freeipa-devel
mailing list