On 12/20/18 12:00 PM, Neal Gompa wrote:
On Thu, Dec 20, 2018 at 11:59 AM Ken Dreyer
<ktdreyer(a)ktdreyer.com> wrote:
> Hi folks,
>
> I've written a simple "koji-ssl-admin" utility:
>
>
https://pagure.io/koji-tools/pull-request/19
>
> The current Koji Server Howto guide includes a lot of steps to run openssl by
> hand, and I find I make mistakes easily in this area.
>
> This tool makes it trivial to generate the required SSL keys, CSRs, and CA to
> set up a Koji environment. It has opinionated settings, like fixed, safe key
> sizes so you can get up and running out of the box quickly.
>
> You can use this to create your own Koji-specific CA and sign HTTPS certs and
> user certs, or you can just generate the CSRs to submit to an official CA
> later.
>
> This generates the certs with single commands and predictable filenames, so
> it's easy to wrap this with scripts or config management systems like Ansible.
>
This is awesome! Thanks for making this!
Ditto! I ran into many of the same problems and went for the same
solution. My script was quirky and I never got around to making it
better behaved. I got the certs I needed and moved on and now fear that
tool. That was for $JOB_KOJI. For $HOME_KOJI I went another approach
and used the wonderful xca tool and made templates for hub, web, user,
etc. but any tools here help. It was the single most frustrating thing
for me getting Koji up and running the first time. The upside is I got
very comfortable with X.509.