https://bugzilla.novell.com/show_bug.cgi?id=670580
https://bugzilla.novell.com/show_bug.cgi?id=670580#c2
J. Daniel Schmidt
the yastwc init script causes a dns lookup at boot when generating the self signed certificate.
Yes, but only if there is no certificate yet.
In less sheltered environments this may cause hangs due to dns timeouts.
Only during the first boot of the appliance.
The value returned isn't guaranteed to actually be resolvable either (e.g. due to foo.site entry in /etc/hosts). It would be better to refrain from the dns lookup.
The fallback is to use "webyast" as hostname if it can not be resolved. We need to create a certificate when the webserver starts, we can do this later. What we can do is to add a sleep before creating the certificate to give the network some time to come up. Would this help? The current compromise is the best we found back then. We just don't want to run WebYaST communication via HTTP unencrypted. So the script calculates the best hostname it can get and uses fallbacks in case of errors. Our main goal was not to have a self-signed certificate with the 100% correct domainname set. Just something so the WebYaST user can go on and use WebYaST without to fist SSH to the new appliance and manually configure WebYaSTs SSL certificate. This is something he can do later. Home-users might not even have an own DNS server running to resolve their internal host names.
A smarter solution would probably generate the certificate only when it's actually needed with the expected host name.
When is the certificate needed? IMHO when the webserver starts with https support. Creating an SSL certificate and restarting the webserver upon the first HTTP attempt to port 433 (and answering this first attempt) would require too much effort I think. But I am open for any improvement here and will have a look what magic cups uses. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.