Skip to content
This repository has been archived by the owner on Jan 15, 2024. It is now read-only.

Differences between XnatInstaller and OmeroInstaller for creating self-signed SSL certificates #1

Closed
p-j-smith opened this issue Jan 30, 2023 · 2 comments
Closed

Differences between XnatInstaller and OmeroInstaller for creating self-signed SSL certificates #1

p-j-smith opened this issue Jan 30, 2023 · 2 comments

Comments

@p-j-smith
Copy link
Contributor

As mentioned in UCL-MIRSG/ansible-role-postgresql#1 (comment), there are several differences in the way XnatInstaller and OmeroInstaller handle the creation of self-signed SSL certificates. These differences will need to be accounted for when creating this role.

However, there are also some lower-level differences that I'm unsure how to handle here:
@drmatthews
Copy link
Contributor

When generating an OpenSSL CSR, XnatInstaller sets the common name to xnat_db.host for the server certificate and xnat_web_server.host for the client certificate. However, OmeroInstaller sets both the server certificate and client certificate CSR common names to omero_db.host. Should the same common name be used for both the db and web servers, or should omero_web.host be used for the client certificate?

This would appear to be a mistake in OmeroInstaller - the naming should be as in XnatInstaller (although it still works as-is in OmeroInstaller).

In XnatInstaller, the db host has a variable postgres.ssl_client_cert_file that is the path /var/lib/pgsql/certs/root.crt. In OmeroInstaller, the db host has this same path assigned to a different variable (postgres.ssl_ca_file). Which variable name is better to use - postgres.ssl_client_cert_file or postgres.ssl_ca_file?

I appreciate that this looks confusing, but in OmeroInstaller I renamed ssl_client_cert_file to ssl_ca_file because I needed an extra variable for the name of the cert file in the cache directory. In XnatInstaller there is a separate cache directory for client and server certs (e.g. pg_client_cert_cache). In OmeroInstaller I opted for a single cache directory and a variable for the filename in the cache (e.g. ssl_client_cert_filename) which was quite similar to a variable already in use. A better approach would be to follow XnatInstaller and keep ssl_client_cert_file but set a generic variable for the full path in the cache dir (e.g. ssl_cert_cache_path).

XnatInstaller copies the server certificate to the client and the client certificate to the server. OmeroInstaller does this too, but it also copies the ssl_key_file, ssl_cert_file, and ssl_pk8_file from the server to the client and the ssl_key_file and ssl_cert_file from the client to the server. Do these extra files need to be copied across?

Probably not. In OmeroInstaller copy everything is probably just a left-over from me trying to get a generic role to work. I suggest starting by copying only the cert file.

XnatInstaller sets permissions to mode: 700 for the certificates directory and mode: 400 for the key, certificate, and pk8 files. OmeroInstaller sets permissions to mode: 755 for the certificates directory and doesn't explicitly set permissions for the files. Do the permissions need to be set as in XnatInstaller?

In OmeroInstaller the ownership and permissions of the pk8 file is set during copying. It can be done as in XnatInstaller but you'd need a variable for the SSL cert role which sets the owner, group and permission. Which is probably a better approach as it will make it clearer. We would just need to make sure that (in OmeroInstaller) omero_server_system_user is set before the SSL cert role variables.

@p-j-smith
Copy link
Contributor Author

thanks for clarifying - I think these issues are all addressed by the current version of this role

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drmatthews @p-j-smith