yahoo-eng-team team mailing list archive

[Mike Pontillo <mike.pontillo@xxxxxxxxxxxxx>]

This is probably more useful in curtin, but I could see it being useful
in cloud-init as well.

I expect this is more useful in curtin long-term, since those deploying
in an environment with its own PKI infrastructure will be the primary
users of this feature.

Having this in cloud-init would be good in case the certificates are
needed during commissioning (i.e. to reach a TLS-protected MAAS URL),
but I see that as lower priority.

Bottom line: for us to consider adding this feature to MAAS, it will
probably need to be available in curtin first.

** Also affects: curtin
   Importance: Undecided
       Status: New

** Also affects: cloud-init
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1517180

Title:
  No support for adding custom certificate chains

Status in cloud-init:
  New
Status in curtin:
  New
Status in MAAS:
  Triaged

Bug description:
  In a MAAS behind a proxy that uses a self-signed certificate, when
  machines provisioned using maas attempt to contact e.g.
  https://entropy.ubuntu.com, they fail to validate the cert chain and
  fail.

  Suggested solution borrowed from an email from kirkland:

  On the MAAS administrative configuration page, we should add a small
  section where the MAAS admin can copy/paste/edit any certificate
  chains that they want to add to machines provisioned by MAAS.  These
  certs should then be inserted into /etc/ssl/certs by cloud-init or
  curtin on initial install (depending on the earliest point at which
  the cert might be needed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1517180/+subscriptions