2023-06-14

Date and Location

Jun 14, 2023 at 15:00-16:00 (EET, UTC+3)

Location: Microsoft Teams

Attendees

  • Petteri Kivimäki (NIIS)

  • Aivar Meisterson

  • Dante Moreno

  • Gustavo Giorgetti

  • Juhani Nuorteva

  • Oleksii Danyliuk

  • Tõnis Pihlakas

Discussion items

#

Item

Notes

#

Item

Notes

1

Summary of development activities

Summary of ongoing development activities.

2

X-Road 7.3.0 release

X-Road 7.3.0 will be released at the end of June. The release notes are available here.

3

Security Server support for RHEL7 and RHEL9

Currently, the Security Server supports RHEL7 and RHEL8. RHEL7 will reach its EoL in June 2024. More information about the RHEL7 support is available here.

X-Road version 7.5.0 will be released in Q2 / 2024 so it makes sense to drop support for RHEL7 in version 7.5.0. It means that the last version with RHEL7 support will be X-Road 7.4.0 that will be released in Q4 / 2023. At the same time, support for RHEL9 will be added in version 7.5.0.

Here’s a summary of Security Server’s RHEL support in the upcoming versions:

  • Version 7.3.0 (June / 2023)

    • RHEL7

    • RHEL8

  • Version 7.4.0 (Q4 / 2023)

    • RHEL7

    • RHEL8

  • Version 7.5.0 (Q2 / 2024)

    • RHEL8

    • RHEL9

However, RHEL7 will be supported for existing releases until the end of their life cycle.

4

ACME support and the use of port 80 on the Security Server

When a certificate is issued using ACME, two challenges are supported:

  • IP ownership challenge

  • DNS challenge.

The IP ownership challenge uses HTTP port 80. This collides with the default Ubuntu client information system inbound communication port. To be able to use the IP ownership challenge on Ubuntu, the client information system inbound communication port must be changed.

For existing installations, the change must be done manually since it requires configuration changes to other systems too, e.g., the client information system, firewall configuration. Therefore, it's not possible to automate the change as a part of the Security Server version upgrade.

Instead, there are different alternatives how the problem can be handled on fresh Security Server installations:

  1. Change the default client information system inbound communication ports to 8080 and 8443 on Ubuntu. In that way, RHEL and Ubuntu based Security Servers use the same ports. If needed, the current ports (80, 443) can still be kept as defaults by defining them in country-specific meta packages.

  2. Keep the current default ports (80, 443) in vanilla X-Road. The ports can be changed to 8080 and 8443 in country-specific meta packages if needed. In that way, countries that plan to use ACME can change the default values in their meta packages while other countries continue to use the current defaults. Also, X-Road members can change the ports manually too and it’s enough to change port 80 and leave port 443 as it is. If the DNS challenge is used, no port changes are required.

Alternative 1 is more invasive since it changes the ports for all new Ubuntu users. However, it makes the configuration more consistent over different hosting OSs and X-Road ecosystems. Instead, alternative 2 doesn’t affect the current default configuration, but it creates more variation between different hosts and X-Road ecosystems. More variation makes it more difficult to offer simple and easy to understand documentation and provide support in problem situations.

X-Road Technical Committee has decided to implement alternative 1. It means that starting from X-Road version 7.4.0 the default client information system inbound communication ports will be changed to 8080 and 8443 on Ubuntu.

5

Other topics



Next meetings

  • Meeting 14, August 16 2023, 15:00-16:00 (EEST, UTC +3)

  • Meeting 15, September 20 2023, 15:00-16:00 (EEST, UTC +3)

  • Meeting 16, October 19 2023, 15:00-16:00 (EEST, UTC +3)

  • Meeting 17, November 15 2023, 15:00-16:00 (EET, UTC +2)

  • Meeting 18, December 13 2023, 15:00-16:00 (EET, UTC +2)

  • Meeting 19, January 17 2024, 15:00-16:00 (EET, UTC +2)

  • Meeting 20, February 14 2024, 15:00-16:00 (EET, UTC +2)