certificates: Extend the lifetime of non-web Engine certificates #329
Conversation
mz-pdm
requested review from
didib,
sandrobonazzola,
ahadas,
bennyz,
emesika,
mwperina,
michalskrivanek,
oliel and
sgratch
as code owners
|
OVN certificates are not updated when running engine-setup in my environment so I don't whether that part works properly. But the change there is trivial. |
michalskrivanek
force-pushed
the
certificates-engine
branch
from
5c63cc1
to
74a667e
Compare
packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/network/ovirtproviderovn.py
Show resolved
Hide resolved
ovirt-engine-rename is a tool to change FQDN of engine (for example after migration to a different physical host). In theory it should not only change FQDN wherever it's used, but also force to regenerate engine certificat. But this tools was never fully supported, so no need to perform some extensive testing |
Non-web certificates are not subjects to the lifetime limitations required by web browsers. Let’s extend the lifetime of non-web Engine certificates to 5 years (the same value as for the host certificates) to make the certificate updates much less frequent. Let’s also drop the check for long certificate lifetime. All web certificates should already have the shortened lifetime, otherwise they wouldn’t work with current browsers. Bug-Url: https://bugzilla.redhat.com/2079835
mz-pdm
force-pushed
the
certificates-engine
branch
from
74a667e
to
f2dae8d
Compare
There was a problem hiding this comment.
Re "Let’s also drop the check for long certificate lifetime. All web
certificates should already have the shortened lifetime, otherwise
they wouldn’t work with current browsers.":
What if they actually do not work with current browsers? We introduced this code only less than 1.5 years ago, in bz 1906320, 4.4.5.
People that:
- Set up 4.4.4
- Use old browsers
- Upgrade to 4.4.5
- Upgrade their browsers
Will hopefully never notice any issue - everything will be seamless.
But people that do exactly the same, but in step (3.) upgrade to current version directly, will run into issues (popups/blocks/etc from their browsers), if I got it right. This is a regression. Am I missing something?
Also: If you didn't test ovirt-engine-rename, please ask QE to do at least some sanity testing of it. I know, @michalskrivanek, that I [1] try to present it as "not fully supported", but official docs [2] are less explicit...
[1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html
This was @michalskrivanek's suggestion so he should be best able to answer this. |
|
I think it's fine. 4.4.3 (that's where we changed it) is ~15 months old. A long time to upgrade browsers really. |
Non-web certificates are not subjects to the lifetime limitations
required by web browsers. Let’s extend the lifetime of non-web Engine
certificates to 5 years (the same value as for the host certificates)
to make the certificate updates much less frequent.
Let’s also drop the check for long certificate lifetime. All web
certificates should already have the shortened lifetime, otherwise
they wouldn’t work with current browsers.
Bug-Url: https://bugzilla.redhat.com/2079835