Foreman/Puppet and Certs

When I installed my Foreman/Puppet environment (my personal environment)
one of the first things I noticed was my browser complained that the cert
was unverifiable. So one of the things I want to do but keep putting off is
to get a cert from StartSSL for both Puppet and Foreman.

1. is this wise?
2. what considerations should I have in mind when doing so.

I am planning on replicating that behavior for my at work environment as
well.

> When I installed my Foreman/Puppet environment (my personal environment) one
> of the first things I noticed was my browser complained that the cert was
> unverifiable. So one of the things I want to do but keep putting off is to
> get a cert from StartSSL for both Puppet and Foreman.
>
> 1) is this wise?

It can be made to work, but there is an issue in the enc script as it
doesn't look for third party CA certs. IE: It's not parsing SSL CA
path. I'm going to be submitting a patch to fix this, as we have this
working in our environment. I should have a patch submitted within a
week, but you'll likely have to hand edit your enc script and
foreman.yaml to incorporate these changes.

> 2) what considerations should I have in mind when doing so.

Basically you need to make sure that your CA's cert is in the CA path,
and that you somehow set that variable on your puppetmaster, and that
you have an updated enc script that parses the variable.

I'm going to send a pull request later this week, you'll just need to
replicate the changes in your environment. It will only be two
additional lines of code.

Feel free to follow up next week and I'll provide the link to the
changes, or ping me on irc (bgupta@freenode) if you are working on it
this week and need help.

P.S. - I'll try to remember to follow up on this thread.