I just had an 'aha' moment when trying to make the PMT tool interact with the forge using SSL.
The problem is with Ruby & OpenSSL and its need for a CA path or file when I want to use VERIFY_PEER as a mechanism. Since forge.puppetlabs.com uses a publicly signed certificate, I need to provide the public CA. I've managed to solve it on Linux by specifying: https_object.ca_path = '/etc/ssl/certs' But this isn't going to cut it cross-platform. I'm thinking there is at least two viable solutions: a) We hunt around a users OS looking for the cert directories, since this is going to be prone to problems, we'd need to deal with edge cases and possibly provide a knob or fallback behaviour for this b) We ship our own lists of CA's. Its not enough to just ship only our CA (GeoTrust) as they might be out of business one day, and we'll have to deal with that. We'd probably need to ship a larger amount, like the full list provided by curl or something. This would be something we would continue to maintain and update indefinitely as well (so when CA's get revoked, we would have to revoke as well). Does anyone have any other ideas around a solution to this problem? Or perhaps a viable alternative? Any help would be greatly appreciated. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
