Heads Up - openssl makefile and scripts for creating self signed certificates
I was asked here to merge pull request that moves the openssl makefile and scripts for creating self signed certificates to /usr/share/doc. I am not sure this is the right thing to do as these are definitely still used currently. Although it is much easier now to set up proper certificates for your servers with Let's Encrypt, it is still not fully automatable process (it needs at least some set up at the beginning for the first issued certificate). Thus it cannot be included for example in rpm packages %post scripts, etc. At least I would like to know from maintainers of packages that depend on openssl whether they currently use the makefile or the scripts to create self signed certificate for the service. Tomas Mraz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Heads Up - openssl makefile and scripts for creating self signed certificates
On 10/24/2017 04:23 PM, Tomas Mraz wrote: > I was asked here to merge pull request that moves the openssl makefile > and scripts for creating self signed certificates to /usr/share/doc. > > I am not sure this is the right thing to do as these are definitely > still used currently. > > Although it is much easier now to set up proper certificates for your > servers with Let's Encrypt, it is still not fully automatable process > (it needs at least some set up at the beginning for the first issued > certificate). Thus it cannot be included for example in rpm packages > %post scripts, etc. > > At least I would like to know from maintainers of packages that depend > on openssl whether they currently use the makefile or the scripts to > create self signed certificate for the service. One more thing to add - the pull request is here: https://src.fedoraproject.org/rpms/openssl/pull-request/1 Tomas Mraz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Heads Up - openssl makefile and scripts for creating self signed certificates
On Tue, Oct 24, 2017 at 10:33 AM Tomas Mraz wrote: > On 10/24/2017 04:23 PM, Tomas Mraz wrote: > > I was asked here to merge pull request that moves the openssl makefile > > and scripts for creating self signed certificates to /usr/share/doc. > > > > I am not sure this is the right thing to do as these are definitely > > still used currently. > > > > Although it is much easier now to set up proper certificates for your > > servers with Let's Encrypt, it is still not fully automatable process > > (it needs at least some set up at the beginning for the first issued > > certificate). Thus it cannot be included for example in rpm packages > > %post scripts, etc. > > > > At least I would like to know from maintainers of packages that depend > > on openssl whether they currently use the makefile or the scripts to > > create self signed certificate for the service. > > One more thing to add - the pull request is here: > > https://src.fedoraproject.org/rpms/openssl/pull-request/1 > > I'd like to recommend that we start encouraging people to use SSCG for generating "self-signed"[1] certificates when their packages need them. Also, just a reminder: if you are using any of these tools to generate self-signed certificates as part of an RPM scriptlet, please stop doing that and read https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup which will teach you how to move that into a systemd unit that runs prior to service startup rather than when the package is installed. This has multiple advantages; the entropy pool is likely to be more full during system start-up and it allows tools like virt-sysprep to safely wipe out the certificates when making a Gold Master VM, since the system will automatically generate fresh ones. [1] SSCG actually generates a one-time-use CA, signs the certificates and then destroys the private key of the CA. See https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ for a complete explanation. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Heads Up - openssl makefile and scripts for creating self signed certificates
> "TM" == Tomas Mraz writes: TM> Although it is much easier now to set up proper certificates for TM> your servers with Let's Encrypt, it is still not fully automatable TM> process (it needs at least some set up at the beginning for the TM> first issued certificate). Thus it cannot be included for example in TM> rpm packages TM> %post scripts, etc. But packages shouldn't be creating certificates in %post scriptlets. At least those which start daemons (which I think would be most of them). That should be done when the daemon starts for the first time using sscg. See https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup - J< ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
