> On 2 Dec 2020, at 19:04, Angel Bosch Mora <abosch@imasmallorca.net> wrote:
>
>> depending on your version of 389, look at "dsctl <instance name> tls
>> import-ca"
>>
>> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
>> --help
>> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
>>
>> positional arguments:
>> cert_path The path to the x509 cert to import as a server CA
>> nickname The name of the certificate once imported
>>
>> optional arguments:
>> -h, --help show this help message and exit
>>
>> This allows you to import a PEM CA file. There are a number of other
>> helpers under the tls subcommand to make cert management easier.
>>
>
>
> all this is pretty new, right?
>
> I can't recall reading this last time I checked docs.
I don't remember what version it was landed in, but certainly one 1.4.x somewhere.
>
> anyway, my main problem is that to deploy a node in a truly unattended mode It shouldn't pause at CSR request and continue when CA sign certificates, so I'm trying to have some preconfigured cert databases and signed certs.
>
> If there's no way to do that, I can't dynamically create and destroy nodes.
>
> the other option is letting the loadbalancer handle encryption, but official docs are very aggressive against that option, but I wonder if I should ignore that recommendation and encrypt at LB level.
> any hints?
You can setup an instance with *no* TLS setup with self_signed = false in the setup.inf, then you can later add the nssdb + enable encryption. That's probably what you want here.
>
> abosch
> -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment