Symptom: 'ssbrowser.html' web page is empty (without an expected content) How to reproduce: 1) mozilla firefox 63.0.1; 2) open IPA login page; 3) click on 'configured' link
There is an error message in dev console(see the screenshot).
<img alt="Screenshot_20190111_103624.png" src="/freeipa/issue/raw/files/b20c54f87fb81083ba17ace6d742ed7c0db2779e5210e1ae6b4d69387687231b-Screenshot_20190111_103624.png" />
The reason why config pages are on http and not https is the fact that part of the process could be also importing the CA cert. So that the workflow to import the ca cert doesn't need to involve working around the cert error. On the other hand it doesn't increase security - it's more UX thing.
With the change of the pages to communicate with IPA API to get i18n messages. This becomes indeed a problem (this bug).
Approaches I see are: change configuration worklow so that import of CA cert is done differently. This is solved by IPA enabled system where the cert is added by ipa-client-install to a central store. For others, I know what could be the solution where the page would be still localized allow http for i18n messages API end point.
I don't like any.
IMHO there 3 problems mixed at one: 1) actually, a user cannot visit the 'non-https' version of IPA login page. Thus a user always has the 'https' one, but cannot follow 'http' link for 'ssbrowser.html' (this issue);
2) as for now there is no implementation to provide redirection to 'ssbrowser' in case of some kind of CA cert problem;
3) 'http' version 'ssbrowser' is not operational due to i18n messages as you mentioned;
For now, only the 1st issue can be easily fixed. https://github.com/freeipa/freeipa/pull/2745
master:
Metadata Update from @stsymbal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.