Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Marti Raudsepp
    @intgr
    @castrapel ^
    I think making it configurable is worse :)
    Curtis
    @castrapel
    Hmm, could we set it to "valid" if the certificate is not expired and not revoked? Setting to "unchecked" seems odd
    Marti Raudsepp
    @intgr
    Hmm yeah, that might work. Seems like a reasonable assumption that a recently created or imported certificate is valid.
    Curtis
    @castrapel
    Perfect - This sounds good to me, and if we (or anyone else for that matter) has any concerns about the validation logic, we can always refine it in the future. Thanks @intgr!
    Matthew Nataloni
    @mnatalonicb
    Hi Everyone,
    I am trying to configure the Digicert plugin and was curious if there is a walk through on how to configure lemur to request and revoke certs for a digicert instance?
    Curtis
    @castrapel
    There's not a good tutorial besides what is in Lemur's documentation ( https://lemur.readthedocs.io/en/latest/guide/index.html ). For Digicert, you will need to create variables in your configuration depending on the specific API you are using . For Digicert's CIS API, you'd need to configure DIGICERT_CIS_URL, DIGICERT_CIS_API_KEY, DIGICERT_CIS_PROFILE_NAME, DIGICERT_CIS_INTERMEDIATE, DIGICERT_CIS_ROOT (DIGICERT_ECC_CIS_INTERMEDIATE if you intend to issue ECC certificates) . Otherwise, you'd need DIGICERT_URL, DIGICERT_API_KEY, DIGICERT_ORG_ID, DIGICERT_ROOT, and DIGICERT_INTERMEDIATE
    rabbai007
    @rabbai007
    Hello All,
    I have tried every method available online to get lemur running with no success. Any success stories recently???
    Curtis
    @castrapel
    Hi @rabbai007 , what specific issues are you running in to?
    Kyle Parrish
    @arnydo
    Does Lemur integrate with a Windows CA?
    sirferl
    @sirferl
    @arnydo : I created a plugin for Windows AD PKI. We're using it for internal certificates. It is integrated in the standard lemur installation.
    sureshyella
    @sureshyella
    I can't login and click any tab like DASHBOARD, CERTIFICATES, etc...
    bowser.json looks intact as shown below.
    (lemur) lemur@ubuntu-xenial:/www/lemur/bower_components$ ls
    angular angular-loading-bar angular-ui-select Chart.js json3 satellizer
    angular-animate angular-moment angular-ui-switch d3 lodash underscore
    angular-bootstrap angular-sanitize angular-underscore es5-shim moment
    angular-chart.js angular-smart-table angular-wizard file-saver.js moment-range
    angular-clipboard angular-strap blob-polyfill fontawesome ngletteravatar
    angular-file-saver angular-translate bootstrap font-awesome ng-table
    angularjs-toaster angular-ui-router bootswatch jquery restangular
    (lemur) lemur@ubuntu-xenial:/www/lemur/bower_components$
    {
    "name": "lemur",
    "repository": {
    "type": "git",
    "url": "git://github.com/netflix/lemur.git"
    },
    "private": true,
    "dependencies": {
    "jquery": "~2.2.0",
    "angular-wizard": "~0.4.0",
    "angular": "1.4.9",
    "json3": "~3.3",
    "es5-shim": "~4.5.0",
    "bootstrap": "~3.3.6",
    "angular-bootstrap": "~1.1.1",
    "angular-animate": "~1.4.9",
    "restangular": "~1.5.1",
    "ng-table": "~0.8.3",
    "moment": "~2.11.1",
    "angular-loading-bar": "~0.8.0",
    "angular-moment": "~0.10.3",
    "moment-range": "~2.1.0",
    "angular-clipboard": "~1.3.0",
    "angularjs-toaster": "~1.0.0",
    "angular-chart.js": "~0.8.8",
    "ngletteravatar": "~4.0.0",
    "bootswatch": "~3.3.6",
    "fontawesome": "~4.5.0",
    "satellizer": "~0.13.4",
    "angular-ui-router": "~0.2.15",
    "font-awesome": "~4.5.0",
    "lodash": "~4.0.1",
    "underscore": "~1.8.3",
    "angular-smart-table": "2.1.8",
    "angular-strap": ">= 2.2.2",
    "angular-underscore": "^0.5.0",
    "angular-translate": "^2.9.0",
    "angular-ui-switch": "~0.1.0",
    "angular-sanitize": "~1.5.0",
    "angular-file-saver": "~1.0.1",
    "angular-ui-select": "~0.17.1",
    "d3": "^3.5.17"
    },
    "../bower.json" 56L, 1411C 1,1 Top
    Here is the error scree shot.
    {
    "name": "lemur",
    "repository": {
    "type": "git",
    "url": "git://github.com/netflix/lemur.git"
    },
    "private": true,
    "dependencies": {
    "jquery": "~2.2.0",
    "angular-wizard": "~0.4.0",
    "angular": "1.4.9",
    "json3": "~3.3",
    "es5-shim": "~4.5.0",
    "bootstrap": "~3.3.6",
    "angular-bootstrap": "~1.1.1",
    "angular-animate": "~1.4.9",
    "restangular": "~1.5.1",
    "ng-table": "~0.8.3",
    "moment": "~2.11.1",
    "angular-loading-bar": "~0.8.0",
    "angular-moment": "~0.10.3",
    "moment-range": "~2.1.0",
    "angular-clipboard": "~1.3.0",
    "angularjs-toaster": "~1.0.0",
    "angular-chart.js": "~0.8.8",
    "ngletteravatar": "~4.0.0",
    "bootswatch": "~3.3.6",
    "fontawesome": "~4.5.0",
    "satellizer": "~0.13.4",
    "angular-ui-router": "~0.2.15",
    "font-awesome": "~4.5.0",
    "lodash": "~4.0.1",
    "underscore": "~1.8.3",
    "angular-smart-table": "2.1.8",
    "angular-strap": ">= 2.2.2",
    "angular-underscore": "^0.5.0",
    "angular-translate": "^2.9.0",
    "angular-ui-switch": "~0.1.0",
    "angular-sanitize": "~1.5.0",
    "angular-file-saver": "~1.0.1",
    "angular-ui-select": "~0.17.1",
    "d3": "^3.5.17"
    },
    "../bower.json" 56L, 1411C 1,1 Top
    Italo Perez
    @ItaloPerez2019
    Lemur ADCS plugin uses ADCS Web enrollment for performing certificate management (certsrv). And I learn that Microsoft ADCS web enrollment is outdated and probably deprecated. Can you please let me know if there is any alternate for ADCS Web enrollment that Lemur already/plans to provides.
    sirferl
    @sirferl

    @ItaloPerez2019 : Someone opened Netflix/lemur#2863 on this topic. I answered there: Found this discussion:
    https://social.technet.microsoft.com/Forums/en-US/d60f99d5-8410-4acb-97e6-8b53b8feaa16/adcs-webenrollment-deprecated-?forum=winserverDS

    From there I gather it is not dead yet.
    Do you have any written statement stating the demise of the interface?

    Italo Perez
    @ItaloPerez2019
    Thank you so much Sir.
    dbagwell00
    @dbagwell00
    Sup party people. We're trying to get Lemur to create a subca using cfssl. cfssl has the intermediary, and we can make certs all day long (but there's no 'chain'). our ca is 'off line'
    not sure how it all works. if i try to create a subca using the authority, it spits out some crazy error about "AttributeError: 'NoneType' object has no attribute 'strip'"
    Jeff Daze
    @jeffdaze
    Hello all -- quick question: has anyone gotten lemur to run locally on Mac Catalina? After the upgrade root is no longer writeable and everything seems to reference '/www/lemur/' when setting up virtual environment etc. Any advice would be greatly appreciated!
    Jeff Daze
    @jeffdaze
    I discovered a solution for my issue; I used a 'synthetic.conf' style symlink to create a /www/ path and everything works again (after re-installing many dependencies that Catalina shuffled around on me). Hopefully this helps someone else!
    Rodrigo Pereira
    @voiprodrigo
    Hi. I'm trying to use the API to POST a certificate request. Is there a way to define a template? Or is it possible to define all the items that the template sets in the request? Or are the attributes just those that are in the REST API documentation for /certificate?
    Italo Perez
    @ItaloPerez2019
    anyone create revoke function in acme plug in
    Marti Raudsepp
    @intgr
    @voiprodrigo The templates are currently only known to the UI unfortunately.
    Rodrigo Pereira
    @voiprodrigo
    @intgr thanks. I have meanwhile tested a POST to /certificates from the gUI and collected the JSON in the request. From the look of it, I think I'll be able to just POST the specific options which would be selected as part of the template. Not ideal, but I think it will do.
    Ilya Labun
    @ilyalabun
    Hello there! I tried to run Lemur tests with docker-compose and got /bin/bash: npm: command not found. I added npm to apt-get in Dockerfile and seems it fixed the issue. Is it known problem? I use Ubuntu 18.04, docker 19.03.5 and docker-compose 1.25.0
    sureshbyella
    @sureshbyella
    Does it support OKTA for SSO
    Ilya Labun
    @ilyalabun

    Hello there! I tried to run Lemur tests with docker-compose and got /bin/bash: npm: command not found. I added npm to apt-get in Dockerfile and seems it fixed the issue. Is it known problem? I use Ubuntu 18.04, docker 19.03.5 and docker-compose 1.25.0

    Regarding this, I submitted PR to fix the issue Netflix/lemur#2885

    Ilya Labun
    @ilyalabun
    @sureshbyella OKTA supports OAUTH2 and lemur has OAUTH2 auth provider, so I guess it's possible to make it work
    Hans Krutzer
    @hkrutzer
    Hey, I found get_all_pending_reissue in the API docs, but can Lemur automatically reissue certificates?
    pmelse
    @pmelse
    question, has anyone gotten lemur to work with cloudflare / lets-encrypt? I'd like to write up some documentation on how to do this, should have a big impact on adoption.
    Hossein Shafagh
    @hosseinsh
    hi @pmelse, there is an ACME plug-in in Lemur, and we are using it for Let's Encrypt certificates.
    Currently, only DNS validation is supported, but ideally should be expanded to include http01 validation. Would love to see any contributions code-wise, or documentation-wise. As you mentioned, this has a big impact on adoption.
    https://lemur.readthedocs.io/en/latest/production/index.html#add-support-for-letsencrypt
    @hkrutzer, yes Lemur can reissue a certificate with the old parameters of the old one automatically. it can also rotate it on endpoints, such as load balancers. You would need to schedule a celery job to run daily
    https://github.com/Netflix/lemur/blob/master/lemur/common/celery.py#L485-L558
    https://github.com/Netflix/lemur/blob/master/lemur/certificates/cli.py
    sirferl
    @sirferl
    @arnydo : hello, yesterday I fixed an error in the ADCS-plugin that prevented the storing of certificates. I'm sorry that I did not see this error earlier.
    Pavel Yaroshevskiy-Molozovenko
    @gutttlt_gitlab
    @hosseinsh, could you please quickly explain auto-reissue functionaltiy?
    I've tried many times but can't make it work. If I have a certificate that expires in N days with a rotation policy set to K>=N days and rotation enabled, it doesn't get rotated automatically, irregarding if I run sources synchronisation. At the same time, I can successfully reissue it using command line.
    This was mainly tested on 0.7.0.
    Pavel Yaroshevskiy-Molozovenko
    @gutttlt_gitlab
    One important thing to mention: I have defined no sources. My plugin (a wrapper around scepclient binary) acts as an issuer plugin only.
    Hossein Shafagh
    @hosseinsh
    @ooav if the reissue is working well from the command line, I am not sure, why the scheduled job shall not work. in the 0.7.0 version one can create a cron task which runs daily and tries to re-issue any certs which fall under the the window of auto-rotate: /lemur/bin/lemur certificate reissue -c" note that this is only re-issuing the cert, if you wanted to be rotated on your endpoint, say a load balancer, you need to also have a cron task for lemur/bin/lemur certificate rotate -c
    Hossein Shafagh
    @hosseinsh
    in the latest version of Lemur all these tasks are running in celery for better monitoring. trying to find some time to make a new release with all the latest features
    verovan
    @verovan_gitlab
    Hi, I'm new with Lemur, I'm currently testing following the docs. I want to create a root CA and a sub CA using the cryptography plugin. I was able to create the root CA, but I can't create a subCA using the authority previously created. I got this error: Private would be ignored, authority key used instead. Could someone assist me please? I will appreciate it.
    2 replies
    sureshbyella
    @sureshbyella
    @kevgliss We have plugin working for our internal ca. we are planning to use api's for the clients to enrolls certs on to IoT devices. I have a question on the json response object for certificates creation. How do we change the response to keep it limited like only body (cert) , serial no and base64pem (cert).
    3 replies
    Saxon
    @noxasaxon
    Hello all,
    We are starting to develop lemur and have noticed that the LEMUR_INSTANCE_PROFILE variable in lemur.conf.py does not actually change the role that lemur assumes to deliver certificates for the AWS S3 plugin, and the role will always be 'lemur'
    3 replies
    Defusevenue
    @defusevenue
    Hello, we're looking to use Lemur in production and was wondering if it was possible to run multiple Lemur instances at the same time? I assume this is possible as long as the database and encryption keys are the same. Are there are issues with running multiple Lemur instances like this?
    1 reply
    oasisδΈΆ
    @shchnk1103
    Hey gus , I have some problems when 'lemur start' . I got this error: 'werkzeug.exceptions.NotFound: 404 Not Found: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.'
    steschuser
    @steschuser
    Hello,
    I spent some time with lemur and I have to say it appears pretty buggy.
    Is this still developed or is everybody walking away?
    The docker image does not work, the documentation is not update and even getting to point where I can start issuing certificates was a hassle.
    Now I seem to be stuck at a validation error about auto-rotate, yet I haven enabled that
    Githin Manesh
    @AToMiXhawK
    Hi,
    I was looking at lemur for some time now.
    Took some time to figure it out.
    I have succeeded in generating certificates with Let'sEncrypt using route53 as dns provider.
    I was now trying to look at digicert plugin, but i can't seem to create a new certificate using digicert using the webUI and the API.
    Some help will be useful.
    Thanks
    2 replies
    steschuser
    @steschuser

    I got lemur running but it fails when trying to create a certificate

    Rotation Policy - {"_schema":"Unable to find <class 'lemur.policies.models.RotationPolicy'> with name: default"}

    This looks like it should be fixed Netflix/lemur#923

    shirHornstein
    @shirHornstein
    Hi,
    I'm trying to set up my lemur env for a while now, I'm using the official documentation while trying to generate certificates with Let'sEncrypt using route53 through webUI with no luck.
    Does someone have documentation or something that could help me?
    Thanks πŸ™πŸ™πŸ™πŸ™πŸ™πŸ™