RE: No option to delete SSL certificates

From: "Milton Miller II" <miltonm@us.ibm.com>
To: Ed Tanous <ed@tanous.net>
Cc: Devender Rao <devenrao@in.ibm.com>,
	"Mohammed.Habeeb ISV" <mohammed.habeeb@inventec.com>,
	Gunnar Mills <gmills@linux.vnet.ibm.com>,
	"openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>,
	Jayanth Othayoth <ojayanth@in.ibm.com>
Subject: RE: No option to delete SSL certificates
Date: Fri, 5 Mar 2021 18:41:16 +0000	[thread overview]
Message-ID: <OF78757961.7D9FD99E-ON0025868F.0066A7C0-0025868F.0066A7C9@notes.na.collabserv.com> (raw)
In-Reply-To: <CACWQX83ouxxsU+zqeix56feoHerQXJ9uKD+gmgfG8PDSoU6y1Q@mail.gmail.com>

On March 05, Ed Tanous wrote:
>On Fri, Mar 5, 2021 at 9:43 AM Gunnar Mills
><gmills@linux.vnet.ibm.com> wrote:
>>
>> On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
>> > In webui-vue , SSL certificates has only replace option. Delete
>button
>> > is greyed out.
>> >
>> > Is there any reason for not providing delete option?
>
>I can't explain why the TrustStore certificate isn't deletable, that
>seems like a bug in webui-vue.
>
>The HTTPS certificate isn't deletable because that would effectively
>disable the HTTPS interface entirely, which seems like a problem,
>given that you're currently using the HTTPS interface to communicate
>with the BMC.  Because of that, we only support replacing the
>certificate.  In a perfect world, we could regenerate a new
>self-signed certificate if the old one was deleted, but nobody has
>written that code so far as I'm aware, I suspect because it's just as
>easy to replace the certificate with your own self-signed cert.

There was also discussion (but I don't remember if it was email 
or in a gerrit review) that deleting invalid certificates was 
a bad idea when they are invalid for the current time because 
sometimes the issue is the loss of the real time clock, and we 
don't want to delete what should be a good cert and replace with 
a self signed one just because the RTC is wrong.

Deleting the current cert can cause issues with certificate 
pinning in the browser.

>>>
>> Looking at the code, I believe the only certificate that can be
>deleted
>> in bmcweb is the Trust Store Certificate
>>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
>mc_bmcweb_blob_feaf15005555a3099c7f22a7e3d16c99ccb40e72_redfish-2Dcor
>e_lib_certificate-5Fservice.hpp-23L1347&d=DwIBaQ&c=jf_iaSHvJObTbx-siA
>1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&m=GvsftEwmNCL39tSW
>9RGR21w8wiSqAcgIUtjTN26kt-I&s=4FlXy5_5pFttulDVBgxnYBpZTTWQNlWVwxr8jkW
>aJBc&e= 
>>
>> And this is reflected in the webui-vue code:
>>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
>mc_webui-2Dvue_blob_4da9495925d601bb4edfb8b007d5b54792b7491b_src_view
>s_AccessControl_SslCertificates_SslCertificates.vue-23L183&d=DwIBaQ&c
>=jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4
>&m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=pc4yE_OEI6ePP--E_F8p
>Shj3Ve0pOiAANBMLi8YPeHY&e= 
>>
>> I am not sure if there is a reason for not supporting deleting
>other
>> certificates or just no one has done the work.
>>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
>mc_bmcweb_commit_07a602993f1007b0b0b764bdb3f14f302a8d2e26&d=DwIBaQ&c=
>jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&
>m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=iAukDzsq2iqjh1UJw1y0b
>Lv7ci9m2WLqKdF634OdPs8&e= 
>>
>> Thanks,
>> Gunnar

milton