Bugzilla – Bug 5071
provide direct way to change publisher to not use certificate
Last modified: 2009-03-09 14:26:36 UTC
You need to log in before you can comment on or make changes to this bug.
Currently, the only way to change an authority to stop using a certificate with an SSL connection is to do "pkg unset-authority" and then "pkg set-authority". And if the authority is the perferred or the only authority, this cannot be done either. This is a request to have a direct way to accomplish this using just the pkg set-authority command. For example, changing the URL to a non-SSL URL could clear the certificate and key values. Or passing in the empty string for the certificate and key could mean to set those values to None, e.g.,: $ pkg set-authority -c "" -k "" test Or maybe there could be an additional argument, such as --remove-certificate that would clear the two values. The goal here is to be able to go from using an SSL repository with a certificate back to a non-SSL repository without a certificate.
Another oddity related to this is that if the origin URL is an http URL (not https), the certificate check is still done even though the certificates are not used. One might expect that the cert and key field should be ignored for non-https URLs. This might be considered a different bug in which case another issue should be opened. If you have a valid cert and key and just want to switch back to a non-SSL URL, then once can do that via set-authority. The certificate check will pass and then the certificate will not be used in the connection.
This is needed for the repository APIs.
Work has started as part of bug 5871.
The way forward here will be to support -k "" and -c "". Once a new transport system is put into place, and this information is supported at the URI level (i.e. individual origin, mirror, etc.) then this should be revisited.
Implemented in changeset 926 / 6ee411c9026af426a657cb1f5e4b73c14c2e1112.