On 03/15/2018 12:51 AM, Julia Kreger wrote:
On Wed, Mar 14, 2018 at 4:52 AM, Dmitry Tantsur <[email protected]> wrote:
Just to clarify: only for public endpoints, right? I don't think e.g.
ironic-python-agent can talk to self-signed certificates yet.
For what it is worth, it is possible for IPA to speak to a self signed
certificate, although it requires injecting the signing private CA
certificate into the ramdisk or iso image that is being used. There
are a few other options that can be implemented, but those may also
lower overall security posture.
Yep, that's the problem.
We can quite easily make IPA talk to custom https.
We cannot securely make IPA expose an https endpoint without using virtual media
(not supported by tripleo, vendor-specific).
We cannot (IIUC) make iPXE use https with custom certificates without rebuilding
the firmware from source.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
