On Wed, Aug 2, 2017 at 10:04 PM, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote:
> Petr Vobornik via FreeIPA-devel wrote:
> > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
> >> Hi devs,
> >>
> >> This is at least the second time recently that people needing to
> >> renew service certificates used ``ipa-cacert-manage renew`` (the
> >> wrong command) and either didn't solve the problem or got into a
> >> deeper mess.
> >>
> >> Clearly we have a usability problem here.
> >>
> >> The ipa-cacert-manage(1) man page is clear, but perhaps could use a
> >> prominent statement that it doesn't renew service certs and if
> >> that's all the user needs to do, to use `getcert resubmit` instead.
> >
> > Right, I think that a lot of people don't understand certificates well
> > and so they don't distinguish CA cert and other cert. So when they see
> > a howto for "CA certificate renewal" they understand
"certificate
> > renewal".
> >
> > From that perspective another possible culprit is also page:
> >
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> >
> >>
> >> But I think better would be to enhance `ipa-cacert-manage renew` to
> >> inspect the current CA certificate and if it has, say, more than 75%
> >> of its validity period still to go, to PROMPT the user to confirm
> >> that renewing the *CA* certificate is really what they wanted to do.
> >>
> >> What do others think of this idea?
> >
> > I like the idea.
>
> Honestly, I'd be even harsher. IMHO this is one of those times that
> requires:
>
> Are you sure? (yes/NO)
>
> Are you really sure? (yes/NO)
>
> Really, you want to renew the CA certificate and not some other
> certificate? This is not something to be done lightly? (yes/NO)
>
> <insert another 72 questions here>
>
> rob
>
OK, I've filed tickets:
-
https://pagure.io/freeipa/issue/7084 (update command with prompts)
-
https://pagure.io/freeipa/issue/7085 (manpage)
Thanks,
Fraser
Especially the first one was quite misleading it pointed people to CA
Cert renewal page in case of any problem with certificates.
--
Petr Vobornik