[DRE-maint] Bug#926235: obs-api: Configure OBS to use its own certificate path by default
Simon McVittie
smcv at collabora.com
Tue Apr 2 12:14:50 BST 2019
Package: obs-api
Version: 2.7.1-10
Severity: wishlist
The Debian default configuration for obs-api uses the "snakeoil"
self-signed certificate generated by the ssl-cert package, with
OBS-specific certificates commented out:
> # SSLCertificateFile /srv/obs/certs/server.crt
> # SSLCertificateKeyFile /srv/obs/certs/server.key
>
> SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
> SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
I think it would be better to configure it to use certificates in an
OBS-specific location (/etc/obs/certs or /srv/obs/certs or similar),
and have this logic (shown here as pseudocode) in the postinst:
if /path/to/server.crt exists and /path/to/server.key exists:
do nothing
else:
make-ssl-cert generate-default-snakeoil
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /path/to/server.crt
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /path/to/server.key
That way, the sysadmin can replace /path/to/server.crt and
/path/to/server.key with more appropriate keys, or with symlinks
(for example to /etc/letsencrypt/live/obs.example.com/fullchain.pem
and /etc/letsencrypt/live/obs.example.com/privkey.pem), either before
or after installing OBS, and they will be used automatically without
needing any other special configuration.
smcv
More information about the Pkg-ruby-extras-maintainers
mailing list