Bug 1248528

Summary:	[RFE] add option to request web certificate from IPA
Product:	[oVirt] ovirt-engine	Reporter:	David Jaša <djasa>
Component:	RFEs	Assignee:	Sandro Bonazzola <sbonazzo>
Status:	CLOSED WONTFIX	QA Contact:	Pavel Stehlik <pstehlik>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	---	CC:	alonbl, bugs, didi, ecohen, gklein, lsurette, oourfali, rbalakri, yeylon
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---	Flags:	ylavi: ovirt-future? ylavi: planning_ack? ylavi: devel_ack? ylavi: testing_ack?
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	integration
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-11-22 14:04:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Jaša 2015-07-30 13:01:27 UTC

Description of problem:
When a machine is joined to IPA domain, getting a new certificate is pretty easy, all that's needed is to issue this command:
ipa-getcert request -f /etc/pki/tls/certs/localhost.crt -k /etc/pki/tls/private/localhost.key -r
The result will be a new certificate in specified locations directly usable by mod_ssl in a matter of seconds. The certificate will also get auto-renewed when it will be about to expire.
No further authentication is needed either. Because of all of these, it would be nice for engine-setup to include an option to request a web certificate from IPA as a part of setup process.

Version-Release number of selected component (if applicable):
oVirt 3.6

Comment 1 Alon Bar-Lev 2015-08-02 08:34:28 UTC

this may be dup of bug#1134219, although it will provide limited set of options. we do not replace sysadmin, configuration of apache ssl is optional, sysadmin can configure it in any way he wishes, engine setup does not enforce anything.

in your sequence you can instruct engine not to configure apache ssl and use the command provided in order to configure it.

so I would have closed this as wontfix.

Comment 2 David Jaša 2015-08-03 10:33:27 UTC

This would be a tiny subset of bug 1134219 and possibly of IPA integration. I know I can instruct not to configure ssl and finish it by myself but this seems so easy on setup part (try the command and print result) that it's worth to have it without any other bits in place.

Comment 3 Alon Bar-Lev 2015-08-03 10:37:34 UTC

(In reply to David Jaša from comment #2)
>that it's worth to have it without any other bits in place.

no it is not. we should focus in our product. sysadmin are paid for a reason.

Comment 4 Yaniv Kaul 2015-11-22 14:04:22 UTC

(In reply to David Jaša from comment #2)
> This would be a tiny subset of bug 1134219 and possibly of IPA integration.
> I know I can instruct not to configure ssl and finish it by myself but this
> seems so easy on setup part (try the command and print result) that it's
> worth to have it without any other bits in place.

I prefer (right now) to have a good documented procedure for the integration than invest in developing only this. Closing (for the time being) as WONTFIX until we get more demand for a smooth integration with IPA.