Re: certmaster w/o func, issues & patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2011-05-17 at 11:39 -0400, Hans Lellelid wrote:
> HI Seth -- thanks for the response.
> 
> (inline)
> 
>         > We're looking at using certmaster without func (for now,
>         anyway) as a
>         > very lightweight development PKI solution.  Basically we
>         want to be
>         > able to request certs automatically (we use Puppet) and
>         ensure they're
>         > signed by something we trust.  Certmaster sounds perfect.
>         
>         
>         okay - that's fine - but you do know that puppet has its own
>         CA built
>         in, too, right?
>         
>         puppetca does just the same thing certmaster does.
>         
>         func even has a mode to use the puppet certs.
> 
> Hmmm -- ok.  That's probably worth more consideration.  We like
> Python, though, so for the flexibility of using it when we don't need
> Puppet we might still prefer certmaster. 
> > (1) The certmaster daemon segfaults on CentOS 5.6 using the
> certmaster
> > 0.28-1 package from EPEL.  This appears to be happening in the
> > create-cert step, since the ca key exists but no cert.  Anyway,
> > SSL/pyOpenSSL seems to be a likely culprit. Anyway, I haven't
> > investigated further, because I rebuilt the RPM for python27 (we are
> > using python26 from epel and our own python27 epel-based packages)
> and
> > that worked fine.
> 
> 
>         known - the new pyopenssl should have fixed it.
> 
> Ok, great.  Yeah, since I had to also create a python27-pyOpenSSL
> package, it's likely that this is what really fixed the problem :) 
> 
> > (2) The certmaster-sync triggers that are installed/enabled by
> default
> > by the RPM implicitly require func.  This breaks for us, obviously.
> >  (I realize that cermaster-sync is the culprit here, so if that is
> > supposed to work without func, that is probably the problem; if that
> > is a func tool then it probably shouldn't be enabled by default.)
> >
> 
> 
>         hmm - that's a disentangling that would be useful.
>         
>         
> 
> Yeah, for now I just commented out adding the triggers from the spec.
>  
> > (3) We'd really like to be able to specify the hostname when calling
> > certmaster-request, since we have many hosts which have multiple
> > interfaces / IPs (e.g. SSL vhosts) for which we'll want certs.  I
> made
> > a patch in our RPM process to add this feature (add optparse +
> > --hostname param).
> 
> 
> 
>         I'd be interested in seeing that patch.
>         
>         
> 
> Very simple - but attached.
>  


and applied. thanks
-sv



_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list


[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux