Hans Lellelid
2011-05-17 14:50:44 UTC
Hi -
We're looking at using certmaster without func (for now, anyway) as a very
lightweight development PKI solution. Basically we want to be able to
request certs automatically (we use Puppet) and ensure they're signed by
something we trust. Certmaster sounds perfect.
I've run into a few stumbling blocks along the way that I wanted to mention;
I think the appropriate places for most of this is the issue tracker, but
figured I would start with an email.
(1) The certmaster daemon segfaults on CentOS 5.6 using the certmaster
0.28-1 package from EPEL. This appears to be happening in the create-cert
step, since the ca key exists but no cert. Anyway, SSL/pyOpenSSL seems to
be a likely culprit. Anyway, I haven't investigated further, because I
rebuilt the RPM for python27 (we are using python26 from epel and our own
python27 epel-based packages) and that worked fine.
(2) The certmaster-sync triggers that are installed/enabled by default by
the RPM implicitly require func. This breaks for us, obviously. (I realize
that cermaster-sync is the culprit here, so if that is supposed to work
without func, that is probably the problem; if that is a func tool then it
probably shouldn't be enabled by default.)
(3) We'd really like to be able to specify the hostname when calling
certmaster-request, since we have many hosts which have multiple interfaces
/ IPs (e.g. SSL vhosts) for which we'll want certs. I made a patch in our
RPM process to add this feature (add optparse + --hostname param).
There are some other changes we made to the SPEC file to sort of
"best-practicize" it, I'd like to contribute all of this back up for
consideration. Should I just create a ticket in Trac and attach the patches
there?
Thanks,
Hans
We're looking at using certmaster without func (for now, anyway) as a very
lightweight development PKI solution. Basically we want to be able to
request certs automatically (we use Puppet) and ensure they're signed by
something we trust. Certmaster sounds perfect.
I've run into a few stumbling blocks along the way that I wanted to mention;
I think the appropriate places for most of this is the issue tracker, but
figured I would start with an email.
(1) The certmaster daemon segfaults on CentOS 5.6 using the certmaster
0.28-1 package from EPEL. This appears to be happening in the create-cert
step, since the ca key exists but no cert. Anyway, SSL/pyOpenSSL seems to
be a likely culprit. Anyway, I haven't investigated further, because I
rebuilt the RPM for python27 (we are using python26 from epel and our own
python27 epel-based packages) and that worked fine.
(2) The certmaster-sync triggers that are installed/enabled by default by
the RPM implicitly require func. This breaks for us, obviously. (I realize
that cermaster-sync is the culprit here, so if that is supposed to work
without func, that is probably the problem; if that is a func tool then it
probably shouldn't be enabled by default.)
(3) We'd really like to be able to specify the hostname when calling
certmaster-request, since we have many hosts which have multiple interfaces
/ IPs (e.g. SSL vhosts) for which we'll want certs. I made a patch in our
RPM process to add this feature (add optparse + --hostname param).
There are some other changes we made to the SPEC file to sort of
"best-practicize" it, I'd like to contribute all of this back up for
consideration. Should I just create a ticket in Trac and attach the patches
there?
Thanks,
Hans