Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improving certificate management #143

Open
tdviet opened this issue Apr 13, 2022 · 3 comments
Open

Improving certificate management #143

tdviet opened this issue Apr 13, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@tdviet
Copy link
Owner

tdviet commented Apr 13, 2022

Some sites are still using IGTF certificates from national CAs that are not included to the OS by default. Installing certificates via script from https://github.com/tdviet/python-requests-bundle-certs is not feasible, it is not supported on CentOS and need to be executed separately (additional work for end-users).

Some solutions:

  • Option to make a separate location for trusted CAs for fedcloud client in configuration file Adding configuration file #86
  • Option --insecure for ignoring CA checking (useful for testing but not recommended for production)
  • Function fedcloud site add --trusted to add a new site as trusted, ignoring CA checking for the site
@tdviet tdviet added the enhancement New feature or request label Apr 13, 2022
@tdviet tdviet mentioned this issue Apr 13, 2022
Closed
@EGI-ILM
Copy link
Contributor

EGI-ILM commented Apr 13, 2022

I think all these suggested options are good.

What I think it is important for the user experience is that:

  • The management of the IFTG certificates is done transparently for them, so users can access any site securely without having to understand what a certificate is and without taking additional (usually complicated) actions that depend on their OS type.
  • It does not mess with the default certificate keystore of the user.

@tdviet tdviet mentioned this issue Jul 4, 2022
Open
@sebastian-luna-valero
Copy link
Collaborator

sebastian-luna-valero commented Dec 16, 2022
edited
Loading

Another option I just came across:

# install udocker
conda create -n udocker -c conda-forge udocker --yes
conda activate udocker

# create fedcloudclient container
udocker pull tdviet/fedcloudclient:1.3.1
udocker create --name=fedcloudclient131 tdviet/fedcloudclient:1.3.1

# access site
oidc-token <your-account>
export OIDC_ACCESS_TOKEN=<access-token-from-previous-command>
udocker run --hostenv fedcloudclient131 fedcloud openstack --vo vo.access.egi.eu --site GSI-LCG2 server list

@tdviet
Copy link
Owner Author

tdviet commented Dec 16, 2022

Thank you, @sebastian-luna-valero, for the workaround.

My current plan is:

  • maintaining the the file containing python request bundle certificates in local configuration folder ~/.config/fedcloud/certs/. The location of the file is configurable in the config, see https://github.com/tdviet/fedcloudclient/blob/2.0-alpha/fedcloudclient/config.py#L30

  • add a command fedcloud cert init to generate the file (like python-requests-bundle-certs script do, but to ~/.config/fedcloud/certs)

  • add a command fedcloud cert add to add other certificates (from local files or extracted from HTTPS servers) to the file

  • add a command fedcloud init to perform all post-installation work in single command: create default config folders/files, download site config (fedcloud site save-config), download IGTF certificates (fedcloud cert init) and so on

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sebastian-luna-valero @tdviet @EGI-ILM