[BlueOnyx:15016] Re: SSL change after updates?

[Michael Stauber]

Hi Matt,

> Relatedly: I've been delaying server updates on a couple
> of our servers due to this change.  Can you tell me
> which packages I should avoid updating that would
> pertain to this?

Unfortunately this update is all or nothing due to to changed ACL's. If
you (for example) keep the old base-vsite and base-ssl RPM's around by
excluding them from the update, then the old ACL's and new ACL's won't
agree with each other anymore. Which might make it impossible to use the
GUI pages from these old RPMs.

> [...] wildcard domains and SSLs [...]

I'm not sure I understand the problem entirely, as I never used wildcard
SSL certificates myself. Where does the '*' go? With that I mean I need
to know all the places where a '*' might be valid.

>From what you wrote I guess the wildcard goes into the "web server
alias" and the "email server alias"?

How about the DNS? From a talk with Greg I recall that DNS wildcards are
also allowed these days. So we also could have "A Records" and "MX
Records" with wildcards?

I really need to know the entire applicability in order to make this happen.

One potential problem I see is simply this: We use the same regular
expression and data-type for CODB objects of the type "hostname".

So if I change that to also accept '*' as valid input, it will be
global. Which means you could also create a Vsite named '*.site.com' or
could name the entire server that way. Which is something we might not
want to allow.

The only way around that would be to identify the "hostname" type fields
where we do NOT want this new behavior and to rename them to something
else. BUT that creates another problem: The data needs to be migrated
from the old "hostname" field to the newly renamed one, or we end up
with blank hostnames there.

That is a bit of a nightmare.

-- 
With best regards

Michael Stauber