#3757 [RFE] Allow IPA to use either mod_ssl or mod_nss
Closed: fixed 6 years ago Opened 10 years ago by dpal.

For the new installs we should be able to choose which we will be using mod_nss or mod_ssl. That would allow us to coexist with other applications on the same host. While it is discouraged in production it is very important for POC and pilot deployments to be able to coexist with other applications on the same host.


The issues may be:

  • Where the RA agent cert is stored. It is currently in the mod_nss NSS db? It may be ok to leave it there.
  • Will we allow people to switch back and forth?
  • What config changes are needed in mod_ssl?
  • Knowing which module is being used to tell certmonger what to track.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Tickets Deferred

7 years ago

master:

  • 805aea2 Use mod_ssl instead of mod_nss for Apache TLS for new installs
  • a0407f7 Remove main function from the certmonger library
  • 5c64e28 Convert ipa-pki-proxy.conf to use mod_ssl directives
  • 4596674 Enable upgrades from a mod_nss-installed master to mod_ssl
  • 5531c9f Don't backup nss.conf on upgrade with the switch to mod_ssl
  • 4d2c7a4 Add value in set_directive after a commented-out version
  • fa135e6 Update smart_card_auth advise script for mod_ssl
  • 7dc923c mod_ssl migration: fix upload_cacrt.py plugin
  • 2056752 httpinstance: handle supplied PKCS#12 files in installation
  • 8789afa x509: Remove unused argument of load_certificate_from_file()
  • 60aa2c3 x509: Fix docstring of write_certificate()
  • c85bf37 certupdate: don't update HTTPD NSS db
  • 9a7c315 Make ipa-server-certinstall store HTTPD cert in a file
  • 92d91ed fixup: add ipa-rewrite.conf to ssl.conf on upgrade
  • 0c388d1 service: rename import_ca_certs_ to export_
  • dde62ff httpinstance: backup mod_nss conf instead of just removing it
  • 8ea04ab httpinstance: verify priv key belongs to certificate
  • ee49947 httpinstance: fix publishing of CA cert
  • 1ca68ea httpinstance fixup: remove commented-out lines
  • b219413 Move HTTPD cert/key pair to /var/lib/ipa/certs
  • 7584573 Backup ssl.conf when migrating from mod_nss

Metadata Update from @stlaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7 (was: Tickets Deferred)

6 years ago

master:

  • 3650e3b upgrade: remove fix_trust_flags procedure

master:

  • 7960352 Backup HTTPD's mod_ssl config and cert-key pair

Login to comment on this ticket.

Metadata