On 10/02/17 23:42, Konstantin Olchanski wrote:
> On Fri, Feb 10, 2017 at 10:40:43PM +0100, David Sommerseth wrote:
>>
>> So if you put your system into permissive mode (setenforce 0), run the
>> certbot stuff via cron ... and grep out the denied lines, and I'll help.
>>
>>  That is my offer.
>>
> 
> I appreciate your offer and I say "thank you". But the reality is I do
> not have the time to work on this problem.

Then these rants makes even less sense.

>>
>> "the direction of el7 Linux" isn't even closely to be managed by this mailing list.
>>
> 
> Then how is it managed? From a spherical board room at Red Hat in vacuum?
> Surely user input comes in somewhere, even if indirectly from
> the SL-users mailing list via FermiLab.

It all starts in the Fedora distribution.  When Red Hat gets ready for
the next major release of RHEL, they decide what to focus on from Fedra,
stabilises that and you have a new RHEL release.  Then CentOS and SL
picks up the RHEL sources, strips out Red Hat trademarks and ships their
blend of RHEL.

I doubt Red Hat cares too much about what happens on this ML.  They
might lurk here.  But what they truly work on is based on what's in
their own bugzilla or customer portal.

> Perhaps it is this lack of management that causes the present problem -
> where to have a web server one must do https, to do https one must have
> properly signed certificate, to have such certificate one must use the "letsencrypt" service,
> which malfunctions in the default configuration of RHEL/SL/CentOS7.

Letsencrypt certbot is not doing things properly.  Because you can
perfectly fine install both Apache httpds, Nginx, Lighttpd, etc, etc and
they will run perfectly fine, including SSL certificates.  The reason
certbot fails is because certbot does not account for SELinux.  That's
hardly RHEL/SL's fault.

> (if there is another certificate service where I can roll out new certificates
> from a script and have them refresh automatically, I am all ears).

FreeIPA ships with certificate management and roll-out, including
automated certificate updates.  It's based on the Dogtag project [1].
But you won't get a certificate which is signed by a public CA (like
Letsencrypt).

But you might find simpler Letsencrypt tools than certbot, like
acme_tiny.py [2] more easy to work with (and requiring less privileges).

[1] <http://pki.fedoraproject.org/wiki/PKI_Main_Page>
[2] <https://github.com/diafygi/acme-tiny>

>> But I could also twist
>> your argument: If you're not willing to accept that the world is moving
>> on and you need to learn things, perhaps you should start doing
>> something else instead?
> 
> My signature says "data acquisition", not "sysadmin". My field has been static
> for the last 100 years, no need to learn anything new ever. Not.

Then perhaps you should let those who know how to do this properly do
their job.  And you can focus on your own job.  There's a reason I'm not
insisting on driving a train or a plane myself; I don't have the skills
needed.  But I can drive a car whenever I need that, because I believe I
do have those skills.  But if my car breaks down, I also don't try to
fix it myself - for the very same reasons.

>>
>> But by all means, if you only came here to rant ...
> 
> That's for sure. Not too many happy people writing "SL works great for me" on this mailing list.

Perhaps they don't see the need to flood the ML with such feedback?

That people don't say "it works fine for me" is by far no indication
everything is broken and bad.  Considering the fairly _low_ amount of
complaints on this list can just as much be an indication things work
well.  Or that very few uses SL (which I have more troubles believing).


-- 
kind regards,

David Sommerseth