Package: obs-api Version: 2.7.1-10 Severity: wishlist The Debian default configuration for obs-api uses the "snakeoil" self-signed certificate generated by the ssl-cert package, with OBS-specific certificates commented out:
> # SSLCertificateFile /srv/obs/certs/server.crt > # SSLCertificateKeyFile /srv/obs/certs/server.key > > SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem > SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key I think it would be better to configure it to use certificates in an OBS-specific location (/etc/obs/certs or /srv/obs/certs or similar), and have this logic (shown here as pseudocode) in the postinst: if /path/to/server.crt exists and /path/to/server.key exists: do nothing else: make-ssl-cert generate-default-snakeoil ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /path/to/server.crt ln -s /etc/ssl/private/ssl-cert-snakeoil.key /path/to/server.key That way, the sysadmin can replace /path/to/server.crt and /path/to/server.key with more appropriate keys, or with symlinks (for example to /etc/letsencrypt/live/obs.example.com/fullchain.pem and /etc/letsencrypt/live/obs.example.com/privkey.pem), either before or after installing OBS, and they will be used automatically without needing any other special configuration. smcv _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers