[Freeipa-devel] [PATCH] 1109 No client machine cert
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 5 13:29:00 UTC 2014
On Fri, 05 Sep 2014, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>> On Fri, 05 Sep 2014, Martin Kosek wrote:
>>> On 09/04/2014 05:13 PM, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
>>>>>> No longer request and install a cert for the IPA client machine.
>>>>>>
>>>>>> rob
>>>>>
>>>>> The original plan was to keep generating the certificate, but in
>>>>> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).
>>>>>
>>>>> I'm fine with either approach.
>>>>>
>>>>
>>>> The cert has never been used and is now actively causing issues in
>>>> RHEL-7 with systemd and kickstart. It could be made optional, and move
>>>> the location, but IMHO its time has come.
>>>>
>>>> rob
>>>
>>> One change that Rob's patch also do is that from now on, certmonger
>>> would not
>>> be enabled and running by default on client machines. It would only be
>>> enabled
>>> on IPA server.
>>>
>>> I am still not confident about the resolution to just stop generating the
>>> certificate, I was leaning more towards making it optional +
>>> generating to
>>> better database as Honza proposed.
>>>
>>> Simo, Alexander, what is your take on this?
>> I'm fine with making it optional. However, on client machine upgrades do
>> not stop and disable certmonger if it is tracking more than just the
>> host certificate.
>>
>
>Well, that is unrelated to this change. Should that be a separate ticket?
A separate ticket is fine too.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list