First, thanks for your effort and patience with my domain requests…
When you set the virtualhost and uninstall nethserver-gitea the /etc/httpd/conf.d/zz_gitea.conf isn’t deleted and still points to files that are not there anymore:
Sep 06 14:28:14 testvm2.domain.local httpd[6543]: AH00526: Syntax error on line 32 of /etc/httpd/conf.d/zz_gitea.conf:
Sep 06 14:28:14 testvm2.domain.local httpd[6543]: SSLCertificateFile: file '/etc/pki/gitea/certs/gitea.crt' does not exist or is empty
Another question: Is it possible to set a custom gitea mail from address?
Good question… I rarely (never) found the need of cleaning up during package removal. The %postun script above shouldn’t harm!
Please note that if the .conf file is not a template/RPM config file, it is removed by RPM itself. When a nethserver package is removed, the “update” events of all remaining packages are fired, so httpd is fully restarted.
Cleaning up /etc/httpd/conf.d seems to be a good idea in general because even if NS cert is used and httpd throws no error some unneeded virtualhost/reverseproxy stays there.
This leads to another question: Is there a special reason to use an own certificate for gitea? It seems to work If you just use the NS cert/key, I tried git push to HTTPS and it worked:
A certificate consumer daemon should expand those templates to its own certificate paths, by installing the proper configuration under /etc/e-smith/templates.metadata.
I’d just keep the reverse proxy to localhost, so we stay flexible and can do cert settings in httpd via web UI.
Sorry, it wasn’t clear from my statement.
And i was not so clear too:
I ment: what if someone opens the port to red/green ? And sends password etc unencrypted, should we take measures to this mall-configuration and use https://::5321 ? may be done conditional…
An option to prevent this would be to enforce the db prop value with a force/ db entry. For me documenting it it’s more than enough (…service runs on localhost and iiss accessible through a reverse proxy. Changing service access is discouraged and can lead to security issues or unexpected behaviour).
https can have a little performance penalty.
Don’t know, could a vulnerable service sniff or ex-filtrate traffic from another one?
Use the default (localhost) certificate in apache configuration
Examine if the gitea daemon really needs a certificate , if possible drop it (love to do it KISS )
Clarify documentation regarding keeping access for the service on the localhost - or - enforce db entry (first thought/feeling is the documentation option)
EDIT
Turns out we do not need a certificate for the daemon aslong the deamon uses http.
(resulting commit)