Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use OS certificate bundle #1617

Merged
merged 1 commit into from
Feb 3, 2022
Merged

Use OS certificate bundle #1617

merged 1 commit into from
Feb 3, 2022

Conversation

kbrock
Copy link
Member

@kbrock kbrock commented Nov 24, 2021
edited
Loading

Part of ManageIQ/manageiq-appliance#341

This gets database ssl keys out of /root, which is only accessible to root user, and into a standard location which is accessible to other users, namely user manageiq

  1. Store the key that signed the postgres server in the standard location
  2. No longer store root.crt in /root so user manageiq can use it
  3. Still configure postgres for public and private key
  4. No longer store postgres.key in /var/vmdb/ since postgres can not access those files.
  5. No longer configure postgres with a root cert that verifies the cert of the connecting client. This is typically ssl_ca_file=root.crt. We only use server side certificates and not client side certificates.

This was referenced Nov 24, 2021
Merged
Closed
@kbrock
Copy link
Member Author

kbrock commented Dec 7, 2021

/cc @jrafanie could you take a peek to see if this works like you thought it should?

@jrafanie
Copy link
Member

jrafanie commented Dec 8, 2021

LGTM once the comments are addressed. 👍

@kbrock kbrock force-pushed the os_cert_bundle branch 3 times, most recently from 962346c to 295bd48 Compare December 9, 2021 23:40
@kbrock
Copy link
Member Author

kbrock commented Dec 9, 2021

push: fixed updates

  • changed unix prompt in examples
  • removed comments remaining for root.crt
  • fixed cert target directory to include anchors
  • fixed postgres documentation link. Also changed the wording a little for that link.
  • fixed markdown for postgres documentation link
  • added headings for each section
  • added check/command to ensure

@kbrock
Use OS certificate bundle
e98b3f9 
We are getting away from storing configuration files in /root
Now we are storing the ssl certificates in the standard linux location
@miq-bot
Copy link
Member

miq-bot commented Jan 18, 2022

Checked commit kbrock@e98b3f9 with ruby 2.6.3, rubocop 1.13.0, haml-lint 0.35.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 🍰

@miq-bot
Copy link
Member

miq-bot commented Jan 18, 2022

Checked commit kbrock@e98b3f9 with ruby 2.6.3, rubocop 1.13.0, haml-lint 0.35.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 👍

Fryguy
Fryguy approved these changes Jan 24, 2022
View reviewed changes
Copy link
Member

@Fryguy Fryguy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - @bdunne Can you take another look?

@bdunne bdunne merged commit 7e8555b into ManageIQ:master Feb 3, 2022
@kbrock kbrock deleted the os_cert_bundle branch February 3, 2022 15:15
@chessbyte chessbyte mentioned this pull request Feb 16, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdunne bdunne bdunne left review comments

@Fryguy Fryguy Fryguy approved these changes

Assignees

@bdunne bdunne

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kbrock @jrafanie @miq-bot @Fryguy @bdunne