Martin Kosek wrote: > On 09/05/2014 03:15 PM, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On Fri, 05 Sep 2014, Martin Kosek wrote: >>>> On 09/04/2014 05:13 PM, Rob Crittenden wrote: >>>>> Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): >>>>>>> No longer request and install a cert for the IPA client machine. >>>>>>> >>>>>>> rob >>>>>> >>>>>> The original plan was to keep generating the certificate, but in >>>>>> /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). >>>>>> >>>>>> I'm fine with either approach. >>>>>> >>>>> >>>>> The cert has never been used and is now actively causing issues in >>>>> RHEL-7 with systemd and kickstart. It could be made optional, and move >>>>> the location, but IMHO its time has come. >>>>> >>>>> rob >>>> >>>> One change that Rob's patch also do is that from now on, certmonger >>>> would not >>>> be enabled and running by default on client machines. It would only be >>>> enabled >>>> on IPA server. >>>> >>>> I am still not confident about the resolution to just stop generating the >>>> certificate, I was leaning more towards making it optional + >>>> generating to >>>> better database as Honza proposed. >>>> >>>> Simo, Alexander, what is your take on this? >>> I'm fine with making it optional. However, on client machine upgrades do >>> not stop and disable certmonger if it is tracking more than just the >>> host certificate. >>> >> >> Well, that is unrelated to this change. Should that be a separate ticket? >> >> rob >> > > I see it as very related. If we choose to do this optionally, instead of > removing the code, we would do it conditionally (with different NSS database).
I'd prefer to remove it altogether and potentially add it back conditionally if anyone notices. > But so far, it seems we choose only really simply just remove the code, i.e. > no > ticket needed. Alexander is pointing out that we disable certmonger at the end of ipa-client-install and this is not good if certmonger is tracking anything else (IPA or otherwise). This is a good point but not related to whether we issue and track a cert ourselves. In fact, to expand on his concerns, it is probably wise to do something similar to what we do in ipa-server-install during uninstall where we list the still-tracked certs for further investigation. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel