Control: tags -1 +upstream Control: tags -1 +wontfix Le vendredi, 23 juin 2017, 05.13:19 h CEST Drexl Johannes a écrit : > I've just upgraded to Stretch and noticed CUPS won't use my certificate/key > files any longer. It seems the options ServerCertificate and ServerKey have > moved somewhere else (or dropped without upgrade notice), and this isn't > really documented. CUPS now refuses to use those options alltogether, > insisting on FQDN.key and FQDN.crt for no apparent reason whatsoever, > generating the files as soon as one visits the web interface. The possible > solution to this was to manually symlink the intended certificate/key to > the hardcoded file names. While this works without (apparent) problems, I > don't think this should be necessary nor forced upon the user.
ServerCertificate & ServerKey configuration directives' support has been
dropped
in CUPS 2.2~b1, so is replaced by ServerKeyChain (in /etc/cups/cups-files.conf)
which indicates a keychain path (`ssl`, so `/etc/cups/ssl/` by default). The
auto-generation is controlled by the option CreateSelfSignedCerts, that
defaults to 'yes'.
Actually, looking at the code, it seems that : cupsSetServerCredentials(…)
is called with ServerName as second argument, without a possibility of that
getting changed. ServerName is set as the result of gethostname().
All-in-all:
* the cups.postinst certificate symlinking is not achieving what it wants: the
symlinks are not used, and CUPS will generate new self-signed certificates on-
demand anyway. We should either stop the symlinking (and defer to CUPS' code)
or fix it (put ssl-cert's back).
* I certainly agree that this migration away from ServerCertificate and
ServerKey was suboptimally documented by upstream (and hence by Debian), but
that's too late. :-/
* The forced certificate name is unfortunate, but of upstream' realm, and I
don't really fancy forcefully changing that back to 'server.crt', as using the
hostname is somewhat better, isn't it?
Looking forward to your feedback!
Cheers,
OdyX
signature.asc
Description: This is a digitally signed message part.
