Re: Building production machines out-of-place, regenerating certs when a machine's identity changes, etc.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/27/10 1:09 PM, nodata wrote:
> On 27/11/10 16:44, Ralf Ertzinger wrote:
>> Hi.
>>
>> On Sat, 27 Nov 2010 16:15:47 +0100, nodata wrote
>>
>>> I don't agree. If you are replacing a production machine, you take
>>> the keys from the old machine and use them. If you don't want to do
>>> that, you buy new, probably stronger, certificates that are also
>>> valid. I think your case only covers self-signed certificates.
>> I agree, usually the keys from the old machine are imported into the new.
>> I do, however, question the usefulness of generating self signed keys
>> for 'localhost' or 'localhost.localdomain'. Is there any valid use
>> case for these?
> Not normally, no.
>
> localhost is a catchall for when either your hosts file is badly
> configured or you didn't configure networking yet. So we're back to the
> problem you mentioned of these things running from rpm scriptlets.
>
> Maybe the sshd approach would be better - generate at first run of the
> daemon?

There's no guarantee that the daemon is run while the machine is in a useful state... unless the script refuses to start while the hostname and domain name are unset...

-Philip

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux