- Subject: certmaster w/o func, issues & patches
- From: Hans Lellelid <hans@xxxxxxxxx>
- Date: Tue, 17 May 2011 10:50:44 -0400
We're looking at using certmaster without func (for now, anyway) as a very lightweight development PKI solution. Basically we want to be able to request certs automatically (we use Puppet) and ensure they're signed by something we trust. Certmaster sounds perfect.
I've run into a few stumbling blocks along the way that I wanted to mention; I think the appropriate places for most of this is the issue tracker, but figured I would start with an email.
(1) The certmaster daemon segfaults on CentOS 5.6 using the certmaster 0.28-1 package from EPEL. This appears to be happening in the create-cert step, since the ca key exists but no cert. Anyway, SSL/pyOpenSSL seems to be a likely culprit. Anyway, I haven't investigated further, because I rebuilt the RPM for python27 (we are using python26 from epel and our own python27 epel-based packages) and that worked fine.
(2) The certmaster-sync triggers that are installed/enabled by default by the RPM implicitly require func. This breaks for us, obviously. (I realize that cermaster-sync is the culprit here, so if that is supposed to work without func, that is probably the problem; if that is a func tool then it probably shouldn't be enabled by default.)
(3) We'd really like to be able to specify the hostname when calling certmaster-request, since we have many hosts which have multiple interfaces / IPs (e.g. SSL vhosts) for which we'll want certs. I made a patch in our RPM process to add this feature (add optparse + --hostname param).
There are some other changes we made to the SPEC file to sort of "best-practicize" it, I'd like to contribute all of this back up for consideration. Should I just create a ticket in Trac and attach the patches there?
Func-list mailing list
[Fedora Legacy List]
[Red Hat 9 Bible]
[Big List of Linux Books]