1248528 – [RFE] add option to request web certificate from IPA

Bug 1248528 - [RFE] add option to request web certificate from IPA

Summary: [RFE] add option to request web certificate from IPA

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	RFEs
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Sandro Bonazzola
QA Contact:	Pavel Stehlik
Docs Contact:
URL:
Whiteboard:	integration
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-30 13:01 UTC by David Jaša
Modified:	2015-11-22 14:04 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-22 14:04:22 UTC
oVirt Team:	---
Embargoed:
Dependent Products:
Flags:	ylavi: ovirt-future? ylavi: planning_ack? ylavi: devel_ack? ylavi: testing_ack?

Attachments	(Terms of Use)

Description David Jaša 2015-07-30 13:01:27 UTC

Description of problem:
When a machine is joined to IPA domain, getting a new certificate is pretty easy, all that's needed is to issue this command:
ipa-getcert request -f /etc/pki/tls/certs/localhost.crt -k /etc/pki/tls/private/localhost.key -r
The result will be a new certificate in specified locations directly usable by mod_ssl in a matter of seconds. The certificate will also get auto-renewed when it will be about to expire.
No further authentication is needed either. Because of all of these, it would be nice for engine-setup to include an option to request a web certificate from IPA as a part of setup process.

Version-Release number of selected component (if applicable):
oVirt 3.6

Comment 1 Alon Bar-Lev 2015-08-02 08:34:28 UTC

this may be dup of bug#1134219, although it will provide limited set of options. we do not replace sysadmin, configuration of apache ssl is optional, sysadmin can configure it in any way he wishes, engine setup does not enforce anything.

in your sequence you can instruct engine not to configure apache ssl and use the command provided in order to configure it.

so I would have closed this as wontfix.

Comment 2 David Jaša 2015-08-03 10:33:27 UTC

This would be a tiny subset of bug 1134219 and possibly of IPA integration. I know I can instruct not to configure ssl and finish it by myself but this seems so easy on setup part (try the command and print result) that it's worth to have it without any other bits in place.

Comment 3 Alon Bar-Lev 2015-08-03 10:37:34 UTC

(In reply to David Jaša from comment #2)
>that it's worth to have it without any other bits in place.

no it is not. we should focus in our product. sysadmin are paid for a reason.

Comment 4 Yaniv Kaul 2015-11-22 14:04:22 UTC

(In reply to David Jaša from comment #2)
> This would be a tiny subset of bug 1134219 and possibly of IPA integration.
> I know I can instruct not to configure ssl and finish it by myself but this
> seems so easy on setup part (try the command and print result) that it's
> worth to have it without any other bits in place.

I prefer (right now) to have a good documented procedure for the integration than invest in developing only this. Closing (for the time being) as WONTFIX until we get more demand for a smooth integration with IPA.

Note You need to log in before you can comment on or make changes to this bug.