[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making CA certificate available over http, __default__ rewrites

On Thu, Jul 11, 2013 at 09:19:40AM -0400, Brenton Leanhardt wrote:
> Am I misunderstanding your suggestion?  Are you wanting to serve the
> CA only for your installation of OpenShift or are you suggesting this
> become the standard for Origin?

Ideally there should be a way for users to get the CA certificate
from their OpenShift Origin deployment to their client machines. Yes,
the IT department of the organization can put it to a well known
place or even to some CA bundle they distribute in their organization
but in some situations, getting it from that OpenShift Origin website
is enough. Test automation is one such case.

But my question went beyond the particular "fetch the CA certificate"
use case. Even if the RewriteRule to allow for the file to be fetched
from the broker is not there by default, admins should still have
reasonably easy way to amend the broker configuration, to add this CA
config there, or to for example co-host nagios or FreeIPA or other
software, on the broker. And the problem that I hit in the all-on-one
installation is that if you also have node on the machine, you have to
do that configuration twice -- not just in broker's conf file but in
node's as well, and it then also applies to the gears which is not
what we want. It would be nice if node's config only dealt with gears
but not with the hostname which is not gear -- the broker.

Granted, all-on-one co-hosted with some other product is not something
that we'd be recommending for production use but for POCs, demos, and
general hacking, having it on one box makes some things much easier.

> The change that worries me is that some may think that is secure and
> clients will be written that first fetch the server certificate from
> the server and then use it for a 'trusted' connection.

By no means do I propose that fetching the CA certificate should
happen automatically, in the rhc client. It certianly should be
a manual step.

> I want to make the former work, but I'm cautious about the latter.
> FWIW, http://curl.haxx.se/docs/sslcerts.html mentions how you can use
> 'openssl s_client'.  It's definitely not as convenient as fetching a
> file though.


Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]