seth vidal wrote:
I was thinking about the funcd->certmaster interaction this weekend and
the problem we have with the localhostname that the system gets being
nothing the certmaster can really use or care about sensibly - for
example: somehostname.localdomain
it ends up meaning we have a system which can get a signed cert but we
cannot connect to from the certmaster using func b/c we don't have a
connectable hostname.
With that in mind I was wondering if it wouldn't make sense to have the
funcd->certmaster interaction be more involved:
funcd -> startup
funcd -> knock, knock, certmaster
funcd -> who am I?
certmaster -> I see you as foo.bar.org
funcd -> here's my csr for foo.bar.org
certmaster -> thanks
later after the sysadmin signs the csr
funcd -> knock, knock, certmaster
funcd -> who am I?
certmaster -> I see you as foo.bar.org
funcd -> here's my csr for foo.bar.org
certmaster -> yes, good, here's the cert for you, foo.bar.org.
funcd -> great, we're done.
That way we know that the ip/name that the certmaster is seeing on the
connect is the same one that funcd is using in its cert.
Now, obvious problem here is NAT - but that was going to be a problem
anyway afaik.
thoughts on this?
-sv
First thought:
knock, knock
who is it? Candy-gram.
Second thought:
Sounds good to me, especially as DNS getting in the way would be
supremely annoying.
--Michael
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
