-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy Foreman with cert not from puppet #135
Conversation
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem | ||
SSLCertificateFile <%= @client_ssl_cert %> | ||
SSLCertificateKeyFile <%= @client_ssl_key %> | ||
SSLCertificateChainFile <%= @client_ssl_ca %> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these parameters available in the scope? Would you be willing to write a test for this?
I don't know why Travis failed, but it looks like a Travis issue more than the code. This can be a good addition, especially since we already have the variables available in params.pp. I do wonder what PUP-57 stands for. |
On Wed, Dec 11, 2013 at 11:57 AM, Ewoud Kohl van Wijngaarden
Ah, no. I'm running puppet 2.7, so I haven't purged all my bad habits yet.
Sure, I should be able to get back to this later this week.
It is just the issue number in JIRA here internally. I didn't think |
👍 from me. @domcleal? Semi-related: I wish github would send me a notification if a new commit was added. |
I'm uncomfortable using the client parameters for the server side certificates, since I think these params are designed for the puppetmaster certificates when talking to Foreman. Could we add new params for server certs instead? |
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem | ||
SSLCertificateFile <%= scope.lookupvar 'foreman::client_ssl_cert' %> | ||
SSLCertificateKeyFile <%= scope.lookupvar 'foreman::client_ssl_key' %> | ||
SSLCertificateChainFile <%= scope.lookupvar 'foreman::client_ssl_ca' %> | ||
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this line also come from a variable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I originally set it to the same value as SSLCertificateChainFile (which seems to be a fairly common pattern in Apache conf files), but @domcleal suggested that I not. Initial googling suggests that I can/should not use my CA-issued cert to issue client certs.
PR updated to use server_* class parameters. |
Still unsure about the SSLCACertificateFile and it being static, but I don't mind merging it as is. @domcleal @GregSutcliffe? |
ditto, that's good, thanks for the update @amh-mw. One last thing, could you add some docs to the top of init.pp for the three new parameters which our installer parses out? Then we can merge. Cheers! |
PR updated with documentation. |
👍 pending Travis |
Travis is still broken on 1.8.7, but 👍 from me as well. |
On CentOS 6, the following settings allow me to use a CA-provided cert instead of a puppet cert.