Project

Profile

Help

Issue #621

closed

Deprecate the cacert and cakey settings in server.conf

Added by rbarlow over 9 years ago. Updated over 4 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.4.0
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:
The cacert and cakey settings in server.conf are currently used to configure Pulp to use a CA for signing client certificates generated by Pulp. These settings often confuse our users, as they tend to think it should be the CA that signed the httpd SSL certificates.

In addition, it is far from ideal that our /login/ API call generates the secret key, certificate, and signature and sends those to the client. This violates the principle that the key should never be transmitted.

We have two viable options:

1) Rename these settings to be more descriptive so that they don't confuse users. Something like client_auth_ca{cert,key} might make sense. If we do this, the client should generate the secret key and a CSR, and send that CSR with their credentials to the /login/ call. Then the server signs the CSR and sends back the certificate.

2) Get out of the business of signing certificates entirely, and change /login/ to return a session key or something along those lines. Of course, continue to support client certificates that are generated by users on both ends (through Apache and pulp-admin).

Either way, we need to put a deprecation on these two settings so that people know they are going away ahead of time.

This bug is not about changing the /login/ behavior, it is about depreacating these two settings.

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time.

Steps to Reproduce:
1. Does Pulp have these settings in server.conf?

Actual results:
Yes.

Expected results:
No.

+ This bug was cloned from Bugzilla Bug #1165403 +


Related issues

Blocks Pulp - Issue #623: Remove the cacert and cakey settings in server.confCLOSED - WONTFIXActions
Actions #1

Updated by jortel@redhat.com over 9 years ago

Deprecate.

+ This comment was cloned from Bugzilla #1165403 comment 1 +

Actions #2

Updated by skarmark@redhat.com over 9 years ago

Deprecates in https://github.com/pulp/pulp/pull/1512, but not moving to POST, since this will be moved to target release 3.0 after review and merge of the above PR.

+ This comment was cloned from Bugzilla #1165403 comment 2 +

Actions #3

Updated by skarmark@redhat.com over 9 years ago

Merged above PR. Moving to 3.0.

+ This comment was cloned from Bugzilla #1165403 comment 3 +

Actions #4

Updated by amacdona@redhat.com over 9 years ago

  • Platform Release deleted (3.0.0)
Actions #5

Updated by bmbouter over 9 years ago

  • Blocks Issue #623: Remove the cacert and cakey settings in server.conf added
Actions #6

Updated by bmbouter over 9 years ago

  • Severity changed from Medium to 2. Medium
Actions #7

Updated by bmbouter over 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #8

Updated by bmbouter over 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #9

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added
Actions #10

Updated by bmbouter over 4 years ago

  • Category deleted (14)

We are removing the 'API' category per open floor discussion June 16, 2020.

Also available in: Atom PDF