Hi all,
I've spent the holidays trying to make my upgrade to puppet v3 on my n+1
versions of Unix work and in the process found two more bugs, one a known
issue, and the other a new issue, and these are stopping puppet from
working on HP-UX.
I'm happy to send in patches for them but I'll need some advice/discussion.
Redmine #17295 - puppet not honouring --digest
This is a real showstopper on HP-UX unless you happen to like compiling
OpenSSL.
I've investigated and hacked together a workaround that works for me -
# diff
/usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/ssl/certificate_request.rb*
62c62,66
< csr.sign(key, OpenSSL::Digest::SHA256.new)
---
> if OpenSSL::Digest.const_defined?('SHA256')
> csr.sign(key, OpenSSL::Digest::SHA256.new)
> elsif OpenSSL::Digest.const_defined?('SHA1')
> csr.sign(key, OpenSSL::Digest::SHA1.new)
> end
# diff
/usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/ssl/certificate_authority.rb.orig
/usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/ssl/certificate_authority.rb
278c278,283
< cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
---
>
> if OpenSSL::Digest.const_defined?('SHA256')
> cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
> elsif OpenSSL::Digest.const_defined?('SHA1')
> cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)
> end
This allows me to generate CSRs which is great, but doesn't seem to be the
right solution.
>From reading the help page for puppet agent I tend to agree with the Greg
Boug who raised the issue that --digest ought to affect both the algorithm
used to generate a fingerprint (which it apparently does) and also the
algorithm used to generate the CSR.
If people agree, I will fix it so that it does this.
Redmine #18393 - puppet assumes that all versions of diff support -u
whereas the HP-UX version doesn't and neither did Solaris 8.
This one looks harder to fix because there is a global default set in
diff_args in lib/puppet/defaults.rb. The whole concept of having a global
default doesn't seem sensible if we're passing an argument in that can't be
relied upon to be globally available. So some thoughts on what to do here
would help greatly.
Happy new year to all!
Best regards,
Alex
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-dev/-/0uyUg-xObAEJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
