Bug 716653

Summary:	self-signed ssl certificate expiry too short
Product:	[Fedora] Fedora	Reporter:	JW <ohtmvyyn>
Component:	httpd	Assignee:	Joe Orton <jorton>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	15	CC:	jfearn, jorton, pahan
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-07-20 13:20:15 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description JW 2011-06-26 03:19:18 UTC

Description of problem:


Version-Release number of selected component (if applicable):
httpd-2.2.17-10

How reproducible:
Always

Steps to Reproduce:
1. grep x509 httpd.spec

  
Actual results:
1. -x509 -days 365 -set_serial $RANDOM -extensions v3_req

Expected results:
1. -x509 -days 36500 -set_serial $RANDOM -extensions v3_req

Additional info:
Why make the certificate expiry so short? The certwatch utility conveniently ignores any certificate with a CN of localhost.localdomain (amazing that a completely independent rpm has inner knowledge of httpd's certificate generation process, and even more amazing that it colludes to ignore it) so when the certificate does expire after 1 year nobody except httpd clients will get to see it.  The owner of the certificate might be the last to know.  Why not just give the certificate an expiry of 100 years?

Comment 1 Joe Orton 2011-06-27 12:00:43 UTC

1) Tone down the rhetoric, please.

2) Anybody relying on the expiry time of this cert rather than getting a real cert for a public site is screwed anyway.  The expiry time is arbitrary, and I'm not going to get into a bikeshed painting exercise about this.

Comment 2 JW 2011-06-27 12:17:12 UTC

Who said anything about a public site?

I certainly didn't.

Besides, that has absolutely nothing to do with the price of fish (or bikeshed painting whatever that is).

The question is: why create a self-signed certificate with a limit life?  What is the point of doing that?

And since creating a certificate that lasts for 100 years has zero cost, why not do that?

Tone down your illogicality please!

Comment 3 Joe Orton 2011-06-27 12:36:47 UTC

c.f. http://lightblue.bikeshed.com/

The only point of creating a cert here is so that we can ship a working mod_ssl configuration.  That is the only point.  Anybody relying on the test cert for any other use is screwed.  Please don't abuse bugzilla by re-opening bugs if you disagree with the maintainer's decision.

Comment 4 JW 2011-06-27 12:57:12 UTC

For goodness sake. You are so damned lazy you wont even consider changing 365 to 36500.  What is your problem?

Comment 5 JW 2011-06-27 13:03:27 UTC

> Please don't abuse bugzilla by re-opening bugs if
> you disagree with the maintainer's decision.

Ok then, what procedure should one follow if one disagrees with the maintainer?

Because quite clearly the maintainer is 100% wrong on this matter.

Comment 6 Joe Orton 2011-07-20 13:20:15 UTC

> Ok then, what procedure should one follow if one disagrees with the maintainer?

http://fedoraproject.org/wiki/Fedora_Engineering_Steering_Committee

Please do not re-open this bug again.