Add a missing step for SSL cert renewal#3941
Add a missing step for SSL cert renewal#3941rh-max wants to merge 2 commits intotheforeman:masterfrom
Conversation
github-actions
bot
added
Needs tech review
|
The PR preview for cbf2908 is available at theforeman-foreman-documentation-preview-pr-3941.surge.sh The following output files are affected by this PR: |
ekohl
left a comment
ekohl
left a comment
There was a problem hiding this comment.
I wouldn't expect this to be needed since services should restart after changing certificates. That IMHO is a bug and we shouldn't only document steps for users to work around bugs.
@adamruzicka I get the impression we only support the system trust store for TLS LDAP connections. Is that correct? If so, then that we support that at all is a complete side effect that in the bootstrap RPM building we add it to the trusted CA store:
https://github.com/theforeman/puppet-foreman_proxy_content/blob/11cadd50b6cf19baa2edaea44bd6f85e87282fce/manifests/bootstrap_rpm.pp#L20-L23
AFAIK we never intended that to work and once we drop the bootstrap RPM and/or containerize we'll likely break that functionality. Do we have any tests that verify this behavior?
That seems to be true.
If I'm reading things right (cc @lhellebr to keep me on the right track), the openldap/ad/idm instances we have available use their own (possibly self-signed) certs. In tests, the ca cert is pulled from the openldap/ad/idm instance and placed into |
Lennonka
left a comment
Lennonka
left a comment
There was a problem hiding this comment.
I think this needs to be cherry picked to older versions as well -> updating PR description.
guides/common/modules/proc_renewing-a-custom-ssl-certificate-on-server.adoc
Outdated
Show resolved
Hide resolved
pr-processor
bot
added
the
Waiting on contributor
This made me look for what we have today and at least found #3954. Then I also wondered about what OpenSSL does. I see that if no While I don't want to dive so deep in the code verify it, I do think it's very likely that it caches all the trusted certificates in the store and the report is valid. I just don't like that it restarts services that may have already been restarted. Worse, it may be incomplete in other places. Back to my original goal: which documentation do we have for this? The answer is https://docs.theforeman.org/nightly/Configuring_User_Authentication/index-katello.html#Configuring_TLS_for_Secure_LDAP_authentication. There is no restart there. @adamruzicka @lhellebr can we verify the original report is a problem and then decide on a proper solution? I'm inclined to treat this as a bug report rather than a docs bug. We may choose to work around it in docs, but preferably we solve it in code. |
|
@adamruzicka our external ldap sources use certs signed by RH CA |
maximiliankolb
left a comment
maximiliankolb
left a comment
There was a problem hiding this comment.
two minor suggestions; one is more or less mandatory.
guides/common/modules/proc_renewing-a-custom-ssl-certificate-on-server.adoc
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
line 12: please change "*" to "." to make it an ordered list.
|
triage: @rh-max Please apply the suggestions. |
Co-authored-by: Maximilian Kolb <[email protected]> Co-authored-by: Lena Ansorgová <[email protected]>
pr-processor
bot
added
Needs re-review
and removed
Waiting on contributor
|
Moving to draft while we look for a new owner. |
7 participants
What changes are you introducing?
Adding the missing service restart step.
Why are you introducing these changes? (Explanation, links to references, issues, etc.)
https://issues.redhat.com/browse/SAT-19673
Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)
Checklists
Please cherry-pick my commits into: