You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/03/19 20:05:00 UTC

[GitHub] [cloudstack] Slair1 opened a new pull request #4848: Allow host cert renewals even if client auth strictness is false

Slair1 opened a new pull request #4848:
URL: https://github.com/apache/cloudstack/pull/4848


   ### Description
   
   This PR allows the management servers to renew certificates issued to hosts, even if ca.plugin.root.auth.strictness is false.  There is already a global setting named ca.framework.cert.automatic.renewal that should be controlling the certificate renewals.  However, ca.plugin.root.auth.strictness currently circumvents that setting.
   
   #### More Detail
   
   The ca.plugin.root.auth.strictness setting is checked early in the client certificate checking method and exits the method without adding the certificate to the management server's in-memory certificate map.  The certificate renewal process (if enabled with ca.framework.cert.automatic.renewal) reads that in-memory certificate map to determine what certs it could renew.  Those two settings shouldn't be so closely related.
   
   
   <!--- ********************************************************************************* -->
   <!--- NOTE: AUTOMATATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. -->
   <!--- PLEASE PUT AN 'X' in only **ONE** box -->
   <!--- ********************************************************************************* -->
   
   ### Types of changes
   
   - [ ] Breaking change (fix or feature that would cause existing functionality to change)
   - [ ] New feature (non-breaking change which adds functionality)
   - [ ] Bug fix (non-breaking change which fixes an issue)
   - [X] Enhancement (improves an existing feature and functionality)
   - [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
   
   ### Feature/Enhancement Scale or Bug Severity
   
   #### Feature/Enhancement Scale
   
   - [ ] Major
   - [X ] Minor
   
   #### Bug Severity
   
   - [ ] BLOCKER
   - [ ] Critical
   - [ ] Major
   - [X] Minor
   - [ ] Trivial
   
   
   ### Screenshots (if appropriate):
   
   
   ### How Has This Been Tested?
   We've deployed and tested this in our CloudStack environments.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Slair1 closed pull request #4848: Allow host cert renewals even if client auth strictness is false

Posted by GitBox <gi...@apache.org>.

Slair1 closed pull request #4848:
URL: https://github.com/apache/cloudstack/pull/4848


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Slair1 commented on pull request #4848: Allow host cert renewals even if client auth strictness is false

Posted by GitBox <gi...@apache.org>.

Slair1 commented on pull request #4848:
URL: https://github.com/apache/cloudstack/pull/4848#issuecomment-803118877


   Doing more testing before submitting


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org