[Bug 557761] New: Incomplete (?) certificate
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c0 Summary: Incomplete (?) certificate Classification: openSUSE Product: openSUSE 11.2 Version: RC 2 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: WebYaST AssignedTo: jdsn@novell.com ReportedBy: kkaempf@novell.com QAContact: qa@suse.de Found By: Development Blocker: --- The generated certificate has CN : localhost.suse.de O: not set OU: not set 1. The hostname should be better. Ideally, create the certificate only after network is up and a proper hostname is assigned. Or use 'webyast'. 2. O should not be empty 3. OU should not be empty -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c1 J. Daniel Schmidt <jdsn@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Status|NEW |RESOLVED Resolution| |DUPLICATE --- Comment #1 from J. Daniel Schmidt <jdsn@novell.com> 2009-11-23 18:03:26 UTC --- (In reply to comment #0)
The generated certificate has CN : localhost.suse.de O: not set OU: not set
We do not know what "Organization" or "Organizational Unit" will use the appliance. That's why it is not set. Not setting this is not an error.
1. The hostname should be better. Ideally, create the certificate only after network is up and a proper hostname is assigned. Or use 'webyast'.
Thats what my intent was. Because of that I hooked the certificate creation to the rc-script of yastwc. But then you can not start yastwc until network is up. Chicken-egg problem. Or the user must ssh to the appliance and start yastwc manually when network is up (maybe needs to configure network manually first, too). As a result of this I just got this: bug #557752. The original behaviour was exactly as you described: only create a certificate if there is a FQDN available and until then do not start yastwc. This was regarded as a P1 bug. So not matter what way you choose, you have to live with one backdraw. 1. no certificate at all, and no yastwc running 2. Have a certificate in any case, but maybe with a non-FQDN hostname I think 2) is the best option in this case and fixed it accordingly.
2. O should not be empty 3. OU should not be empty
Why? It is very common to not set fields that do not apply. I'll close this one as duplicate of bug#557752 as it deals with the same issue, just looking at it from the other side. *** This bug has been marked as a duplicate of bug 557752 *** http://bugzilla.novell.com/show_bug.cgi?id=557752 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c2 Klaus Kämpf <kkaempf@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P4 - Low |P2 - High Status|RESOLVED |REOPENED Resolution|DUPLICATE | Target Milestone|--- |Final --- Comment #2 from Klaus Kämpf <kkaempf@novell.com> 2009-11-23 19:47:11 UTC --- The bug is not so much about technical issues but about the impression WebYaST has on our target group. As an unexperienced Windows user, I would be scared by all the warnings Firefox shows me. So please - set the attributes to meaningful values - document, for the vendor, how to configure the values - get in contact with documentation team to ensure this is properly reflected in the vendors manual Reopening. P2, needs fixing before release. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c3 J. Daniel Schmidt <jdsn@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED --- Comment #3 from J. Daniel Schmidt <jdsn@novell.com> 2009-11-24 10:56:45 UTC --- (In reply to comment #2)
The bug is not so much about technical issues but about the impression WebYaST has on our target group.
Yes, and thats what concerns me.
As an unexperienced Windows user, I would be scared by all the warnings Firefox shows me.
Its the aim of such warnings to warn. There will always be warnings in Firefox unless the user/admin implments a certificate that is trusted by Firefox by default. This is something we can not do. And until then Firefox will mark this page as untrusted. This is the idea behind SSL, trust and security. Its a security issue the user has to be made aware of. Any other behaviour would simulate that everything is ok, secure and trusted. The best thing we can do is to create a self-signed certificate, thats what we do. But there will always be warnings - we can not prevent this. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c4 Duncan Mac-Vicar <dmacvicar@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dmacvicar@novell.com --- Comment #4 from Duncan Mac-Vicar <dmacvicar@novell.com> 2009-11-24 14:01:09 UTC --- So what will happen with this bug. Lets close as INVALID or define desired behavior. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c5 --- Comment #5 from Klaus Kämpf <kkaempf@novell.com> 2009-11-24 14:05:33 UTC --- Simply enter reasonable values like "WebYaST" or "To be defined by appliance vendor". -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c6 --- Comment #6 from J. Daniel Schmidt <jdsn@novell.com> 2009-11-24 15:08:46 UTC --- I changed the status to ASSIGNED, so I will fix it. The script now can set the organization (WebYaST) and unit name (WebYaST) and supports a default CN that is currently "webyast". I can contact Josef and ask him to include in the manual the process of creating a server certificate. What we can not fix is the warnings in the browsers. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c7 J. Daniel Schmidt <jdsn@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #7 from J. Daniel Schmidt <jdsn@novell.com> 2009-11-24 15:16:57 UTC --- Fixed in version 0.0.21 and submitted to OBS. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=557761 http://bugzilla.novell.com/show_bug.cgi?id=557761#c8 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:sle11:29137 --- Comment #8 from Swamp Workflow Management <swamp@suse.com> 2009-12-02 20:53:28 UTC --- Update released for: yast2-webclient Products: SLE-WEBYAST 1.0 (i386, x86_64) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com