search

cloudflare / certmgr

Automated certificate management using a CFSSL CA.
BSD 2-Clause "Simplified" License
218 stars 40 forks source link

Let it be possible to specify optional CAcert for trust of remote cfssl #51

Closed johanot closed 5 years ago

johanot commented 6 years ago

If you run cfssl apiserver tls-enabled, it is currently not possible to use self-signed certificate, because certmgr will reject it.

This PR makes it possible to use self-signed certificate on the cfssl apiserver, by providing an optional cert-spec option root_ca.

johanot commented 6 years ago

@cbroglie Don't know if you work with certmgr as well? But since you merged my latest PR on cfssl, perhaps you'd care to review this as well? :) thanks in any case.

johanot commented 6 years ago

@kalbasit Thanks for the review. Check https://github.com/cloudflare/certmgr/pull/51/commits/bfbe3b4f397e0d3fe1da4695834e580da2d025c8 now. Sorry about the poor error handling. The panics were clearly remnants of my debugging and shouldn't have made it to the PR :) embarrassing.

kalbasit commented 6 years ago

@johanot no worries :), it looks great now, hopwfully someone can merge this soon. Today, I will take a look at the k8s pr over on nixpkgs.

johanot commented 6 years ago

@kisom Can I kindly ask for your comment/opinion on this change?

johanot commented 6 years ago

@terinjokes Poking blindly here, but I would be very grateful if you or one of your colleagues could take a look at this PR and tell me whether it makes sense? :) We would like to include certmgr 1.6.1 (with this patch) in the upstream NixOS Kubernetes module.

johanot commented 6 years ago

@kisom @terinjokes Re-ping -> one month after PR creation.

johanot commented 5 years ago

@terinjokes @kisom Is this something you will consider merging at some point, or is it just too far from the the core principals of certmgr? We've discussed in the NixOS kubernetes community whether to fork certmgr to be able to use self-signed certs with cfssl, or to build a new cfssl client; but I genuinely think that would be sad. I very much prefer to hear some sort of opinion from you on this, so that we can decide on whether to stick with upstream certmgr as cfssl client or not. Thanks a lot. :)

adamtulinius commented 5 years ago

@terinjokes @kisom Any updates on this?

kisom commented 5 years ago

@johanot @adamtulinius I'm no longer at Cloudflare and don't have access to this repo anymore :).

johanot commented 5 years ago

@ferringb Is this sufficient docs? https://github.com/cloudflare/certmgr/pull/51/commits/55c595a4a2dc871726b3c8337469daf5597718a3

ferringb commented 5 years ago

@johanot it is- pardon the delay in follow up.