smoeding / puppet-openssl Goto Github PK
View Code? Open in Web Editor NEWUse Puppet to manage X.509 certificates, keys and parameter files
License: BSD 2-Clause "Simplified" License
puppet-openssl's People
Contributors
Stargazers
Watchers
Forkers
neatnerdprimepuppet-openssl's Issues
Hiera config for Ubuntu is missing
Add unique_subject = no to config file created by openssl::csr
At the moment, you can't re-create a certificate from the csr and config generated by openssl::csr because the default is to disallow multiple certs with the same subject name.
The openssl manual says this is for backwards compatibility and it's recommended to set unique_subject = no.
Can this be done in csr.conf.epp?
openssl_signcsr fails to generate cert if extensions is incorrect but reports success to Puppet
If you put an invalid value in for extensions then openssl_signcsr succeeds in Puppet but the actual openssl command has failed and the resulting certificate file does not exist:
Notice: openssl_signcsr: Using configuration from /etc/etcd/ca/ca.cnf
Notice: openssl_signcsr: Check that the request matches the signature
Notice: openssl_signcsr: Signature ok
Notice: openssl_signcsr: The Subject's Distinguished Name is as follows
Notice: openssl_signcsr: commonName :ASN.1 12:'************'
Notice: openssl_signcsr: ERROR: adding extensions in section default
Notice: openssl_signcsr: 140144353465664:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:
Notice: openssl_signcsr: 140144353465664:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=utf8, value=yes
Notice: /Stage[main]/Profile::Etcd_server_cert/Openssl_signcsr[/etc/etcd/server.pem]/ensure: created (corrective)
The certificate hash file is generated in the wrong directory
Using the makehash parameter for openssl::cert generates the symbolic link in the root directory.
Source extensions should not be hardcoded
The extensions used for the source cert and key are hardcoded as .crt and .key.
The user should be able to choose them freely.
Types do not work unless ensure property is set
Omitting the ensure property prevents the types from doing anything.
The default value for the ensure propery should be present.
Use certutil to install a trusted certificate
On RedHat based systems the certificate should be added to the trusted database using certutil.
certutil -A -d sql:/etc/pki/nssdb -t "C,," -n "nickname" -i /etc/pki/tls/certs/nickname.crt
certutil -D -d sql:/etc/pki/nssdb -n "nickname"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.