Closed fnoop closed 4 years ago
Need to create docs around how to security setup ssl. Currently there is a default CA passphrase: maverick_security::ssl::ca_passphrase
This should be set by each user in a secure environment and all the certs recreated, and documented.
Re-enabled the SSL upgrade page in -web-legacy:
Oh yeah I remember why ldap_server certs are out there on their own. OpenLDAP (slapd) expects it's config/ssl in /etc/ldap and database in /var/lib, and gets very upset if they're not (on debian/ubuntu this is down to apparmor, in no small part). OLC which is the inband config for openldap (you config openldap using openldap) and is an absolute nightmare to deal with. It's extremely sensitive to SSL config. OpenLDAP in general is just horrible to deal with. Hopefully we can replace with a more modern IAM alternative in the future. For now, leave it well alone.
For now, SSL setup is consolidated.
Currently maverick_web creates certs from CA and adds to ~/data/web/ssl. LDAP should create certs, and visiond as well. We should consolidate all the certs into ~/data/security/ssl.