On Tue, 2011-05-17 at 10:50 -0400, Hans Lellelid wrote: > Hi - > > > We're looking at using certmaster without func (for now, anyway) as a > very lightweight development PKI solution. Basically we want to be > able to request certs automatically (we use Puppet) and ensure they're > signed by something we trust. Certmaster sounds perfect. okay - that's fine - but you do know that puppet has its own CA built in, too, right? puppetca does just the same thing certmaster does. func even has a mode to use the puppet certs. > > > I've run into a few stumbling blocks along the way that I wanted to > mention; I think the appropriate places for most of this is the issue > tracker, but figured I would start with an email. > > > (1) The certmaster daemon segfaults on CentOS 5.6 using the certmaster > 0.28-1 package from EPEL. This appears to be happening in the > create-cert step, since the ca key exists but no cert. Anyway, > SSL/pyOpenSSL seems to be a likely culprit. Anyway, I haven't > investigated further, because I rebuilt the RPM for python27 (we are > using python26 from epel and our own python27 epel-based packages) and > that worked fine. known - the new pyopenssl should have fixed it. > (2) The certmaster-sync triggers that are installed/enabled by default > by the RPM implicitly require func. This breaks for us, obviously. > (I realize that cermaster-sync is the culprit here, so if that is > supposed to work without func, that is probably the problem; if that > is a func tool then it probably shouldn't be enabled by default.) > hmm - that's a disentangling that would be useful. > (3) We'd really like to be able to specify the hostname when calling > certmaster-request, since we have many hosts which have multiple > interfaces / IPs (e.g. SSL vhosts) for which we'll want certs. I made > a patch in our RPM process to add this feature (add optparse + > --hostname param). I'd be interested in seeing that patch. > > > There are some other changes we made to the SPEC file to sort of > "best-practicize" it, I'd like to contribute all of this back up for > consideration. Should I just create a ticket in Trac and attach the > patches there? > Or post your patches here. -sv _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list
