Improving certificate management

[tdviet]

Some sites are still using IGTF certificates from national CAs that are not included to the OS by default. Installing certificates via script from https://github.com/tdviet/python-requests-bundle-certs is not feasible, it is not supported on CentOS and need to be executed separately (additional work for end-users).

Some solutions:

• Option to make a separate location for trusted CAs for fedcloud client in configuration file https://github.com/tdviet/fedcloudclient/issues/86
• Option --insecure for ignoring CA checking (useful for testing but not recommended for production)
• Function fedcloud site add --trusted to add a new site as trusted, ignoring CA checking for the site

[EGI-ILM]

I think all these suggested options are good.

What I think it is important for the user experience is that:

• The management of the IFTG certificates is done transparently for them, so users can access any site securely without having to understand what a certificate is and without taking additional (usually complicated) actions that depend on their OS type.
• It does not mess with the default certificate keystore of the user.

[sebastian-luna-valero]

Another option I just came across:

# install udocker
conda create -n udocker -c conda-forge udocker --yes
conda activate udocker

# create fedcloudclient container
udocker pull tdviet/fedcloudclient:1.3.1
udocker create --name=fedcloudclient131 tdviet/fedcloudclient:1.3.1

# access site
oidc-token <your-account>
export OIDC_ACCESS_TOKEN=<access-token-from-previous-command>
udocker run --hostenv fedcloudclient131 fedcloud openstack --vo vo.access.egi.eu --site GSI-LCG2 server list

[tdviet]

Thank you, @sebastian-luna-valero, for the workaround.

My current plan is:

• maintaining the the file containing python request bundle certificates in local configuration folder ~/.config/fedcloud/certs/. The location of the file is configurable in the config, see https://github.com/tdviet/fedcloudclient/blob/2.0-alpha/fedcloudclient/config.py#L30

• add a command fedcloud cert init to generate the file (like python-requests-bundle-certs script do, but to ~/.config/fedcloud/certs)

• add a command fedcloud cert add to add other certificates (from local files or extracted from HTTPS servers) to the file

• add a command fedcloud init to perform all post-installation work in single command: create default config folders/files, download site config (fedcloud site save-config), download IGTF certificates (fedcloud cert init) and so on