| Summary: | ansible: Install LDAP certificates in /etc/openldap/cacerts | ||
|---|---|---|---|
| Product: | Infrastructure | Reporter: | Michael Tremer <michael.tremer> |
| Component: | --- | Assignee: | Timo Eissler <morlix> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | Security | ||
| Priority: | - Unknown - | CC: | morlix |
| Version: | unspecified | ||
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 11640, 11643 | ||
|
Description
Michael Tremer
2018-02-26 19:48:59 UTC
Implemented in the ansible common role. Currently the complete Let's Encrypt CA certificates would be added. - ISRG Root X1 - Let's Encrypt X3 cross-signed - Let's Encrypt X3 ISRG Root X1 signed Do you really want the cacerts to be deployed to /etc/openldap/cacerts/ or /etc/openldap/certs? I'm asking because the directory /etc/openldap/certs exists at least on git01.ipfire.org but the directory /etc/openldap/cacerts/ does not. Yes, put them into /etc/openldap/cacerts, please. Today, I tried to deploy a machine and c_rehash wasn't installed. I didn't think it should be installed as part of the common packages and created an extra task for that. Please review and change it that wasn't a good idea. I prefer to install the certificates into the Fedora / CentOS ca trust store (/etc/pki/ca-trust/source/anchors/). This way we don't need to configure every application to use the certs below the openldap path. Additionally we don't need to install c_rehash as this will be done by the "update-ca-trust" program. I can't find an extra task for the c_rehash installation?! Done |