#1279 PR merged: Excluded private keys from recovery for curl https (see: PR #1267)¶

Labels: enhancement, fixed / solved / done, minor bug

didacog opened issue at 2017-04-05 14:22:¶

brief description of changes:

Added excludes of SSL private keys in /usr/share/rear/conf/GNU/Linux.conf

This code has been tested on RHEL/CentOS where curl has NSS support /etc/pki/*. SLES/opesSUSE and Debian/Ubuntu are ok with not including (/etc/ssl/private).

jsmeix commented at 2017-04-05 14:48:¶

@didacog
Wow! That was fast - in particular with your testing!
Many thanks for your contribution.

schlomo commented at 2017-04-05 14:50:¶

Probably would be nice to document the behavior somewhere, together with the explanation how to get the private keys back into the rescue media for those who actually do use client certificates.

jsmeix commented at 2017-04-05 14:56:¶

In default.conf there is REAR_CAPATH (added by @didacog )
where the comment looks as if that one is meant for
such certificates (but I am not at all a certificates expert).

didacog commented at 2017-04-05 15:08:¶

@jsmeix

Correct, by default/etc/rear/cert. There can be stored certs or keys that should be used by rear.

We store there the DRLM server certificate for HTTPS communication between ReaR & DRLM:

# curl --capath $REAR_CAPATH ...
for keys could be used:
# curl --key $REAR_CAPATH/key.pem ...

on the other hand, being more purist: $REAR_KEYPATH=/etc/rear/private could be created if required.
Regards,

---

[Export of Github issue for rear/rear.]