On Tue, 2011-05-17 at 11:39 -0400, Hans Lellelid wrote: > HI Seth -- thanks for the response. > > (inline) > > > We're looking at using certmaster without func (for now, > anyway) as a > > very lightweight development PKI solution. Basically we > want to be > > able to request certs automatically (we use Puppet) and > ensure they're > > signed by something we trust. Certmaster sounds perfect. > > > okay - that's fine - but you do know that puppet has its own > CA built > in, too, right? > > puppetca does just the same thing certmaster does. > > func even has a mode to use the puppet certs. > > Hmmm -- ok. That's probably worth more consideration. We like > Python, though, so for the flexibility of using it when we don't need > Puppet we might still prefer certmaster. > > (1) The certmaster daemon segfaults on CentOS 5.6 using the > certmaster > > 0.28-1 package from EPEL. This appears to be happening in the > > create-cert step, since the ca key exists but no cert. Anyway, > > SSL/pyOpenSSL seems to be a likely culprit. Anyway, I haven't > > investigated further, because I rebuilt the RPM for python27 (we are > > using python26 from epel and our own python27 epel-based packages) > and > > that worked fine. > > > known - the new pyopenssl should have fixed it. > > Ok, great. Yeah, since I had to also create a python27-pyOpenSSL > package, it's likely that this is what really fixed the problem :) > > > (2) The certmaster-sync triggers that are installed/enabled by > default > > by the RPM implicitly require func. This breaks for us, obviously. > > (I realize that cermaster-sync is the culprit here, so if that is > > supposed to work without func, that is probably the problem; if that > > is a func tool then it probably shouldn't be enabled by default.) > > > > > hmm - that's a disentangling that would be useful. > > > > Yeah, for now I just commented out adding the triggers from the spec. > > > (3) We'd really like to be able to specify the hostname when calling > > certmaster-request, since we have many hosts which have multiple > > interfaces / IPs (e.g. SSL vhosts) for which we'll want certs. I > made > > a patch in our RPM process to add this feature (add optparse + > > --hostname param). > > > > I'd be interested in seeing that patch. > > > > Very simple - but attached. > and applied. thanks -sv _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list
