Bug 1248528 - [RFE] add option to request web certificate from IPA
[RFE] add option to request web certificate from IPA
Status: CLOSED WONTFIX
Product: ovirt-engine
Classification: oVirt
Component: RFEs (Show other bugs)
---
Unspecified Unspecified
unspecified Severity low (vote)
: ---
: ---
Assigned To: Sandro Bonazzola
Pavel Stehlik
integration
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-30 09:01 EDT by David Jaša
Modified: 2015-11-22 09:04 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-22 09:04:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ylavi: ovirt‑future?
ylavi: planning_ack?
ylavi: devel_ack?
ylavi: testing_ack?


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2015-07-30 09:01:27 EDT
Description of problem:
When a machine is joined to IPA domain, getting a new certificate is pretty easy, all that's needed is to issue this command:
ipa-getcert request -f /etc/pki/tls/certs/localhost.crt -k /etc/pki/tls/private/localhost.key -r
The result will be a new certificate in specified locations directly usable by mod_ssl in a matter of seconds. The certificate will also get auto-renewed when it will be about to expire.
No further authentication is needed either. Because of all of these, it would be nice for engine-setup to include an option to request a web certificate from IPA as a part of setup process.

Version-Release number of selected component (if applicable):
oVirt 3.6
Comment 1 Alon Bar-Lev 2015-08-02 04:34:28 EDT
this may be dup of bug#1134219, although it will provide limited set of options. we do not replace sysadmin, configuration of apache ssl is optional, sysadmin can configure it in any way he wishes, engine setup does not enforce anything.

in your sequence you can instruct engine not to configure apache ssl and use the command provided in order to configure it.

so I would have closed this as wontfix.
Comment 2 David Jaša 2015-08-03 06:33:27 EDT
This would be a tiny subset of bug 1134219 and possibly of IPA integration. I know I can instruct not to configure ssl and finish it by myself but this seems so easy on setup part (try the command and print result) that it's worth to have it without any other bits in place.
Comment 3 Alon Bar-Lev 2015-08-03 06:37:34 EDT
(In reply to David Jaša from comment #2)
>that it's worth to have it without any other bits in place.

no it is not. we should focus in our product. sysadmin are paid for a reason.
Comment 4 Yaniv Kaul 2015-11-22 09:04:22 EST
(In reply to David Jaša from comment #2)
> This would be a tiny subset of bug 1134219 and possibly of IPA integration.
> I know I can instruct not to configure ssl and finish it by myself but this
> seems so easy on setup part (try the command and print result) that it's
> worth to have it without any other bits in place.

I prefer (right now) to have a good documented procedure for the integration than invest in developing only this. Closing (for the time being) as WONTFIX until we get more demand for a smooth integration with IPA.

Note You need to log in before you can comment on or make changes to this bug.