Actions
Issue #2013
closed
SSL certs are created at install time, but should be at setup runtime
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Master
Platform Release:
2.13.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 17
Quarter:
Description
The report from Red Hatter Kurt Seifried is quoted below from the corresponding BZ and describes the issue well. We should probably have pulp-manage-db create the certs if they are missing. (And for that matter, we should probably rename it at some point to pulp-setup or something like that.)
Kurt pointed out this resource, which is a valuable guide on the general topic: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup
Version-Release number of selected component (if applicable):
pulp-2.4.1-0.7.beta.el7sat but latest upstream also has it.
How reproducible:
Always.
postinstal:
openssl genrsa -out $KEY_PATH 2048 &> /dev/null
openssl rsa -in $KEY_PATH -pubout > $KEY_PATH_PUB 2> /dev/null
Steps to Reproduce:
1. Install to a container or image.
2. Run new instance of container or image.
3.
Actual results:
All container and image instances share the same key/cert.
Expected results:
Each instance should receive a unique key/cert.
Additional info:
This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506
The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.
Actions
.
RSA key pair and SSL CA certificate generation removed from pulp.spec. closes #2013