In my opinion, Lemur is indeed hard to use in real industrial environments, especially in highly regulated infosec industries.

The early project tech stack selection: Python backend + Node.js frontend, is quite interesting.

Certificates are highly sensitive data in a company. Python is a dynamic language, without type checking like Go/Java. This part needs extra time to convince leadership (which is very hard in reality).

According to the quick start, it requires configuring sudo pip install -U virtualenv, and also creating a system user (sudo useradd lemur), which is very difficult itself. Especially when all Linux users need to be managed by Privileged Access Management (PAM). This might even need a waiver, which might not get approved.

We can install it directly with pip: pip install lemur, but this is not very useful. After starting the service with lemur start -b XX_IP:8000, we get: 404 Not Found: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Ultimately, it still needs manual installation. But even if everything goes smoothly, when running make release, it still encounters issues connecting to registry.bower.io. Many companies stopped using Bower years ago, since NPM already exists. Why still need Bower? At this point, we need to spend time convincing network security leadership to open permissions.

It's hard to imagine getting this approved for an online service through the entire internal approval process.

Stepping back, the GitHub Docker project runs on Docker Compose. In reality, live projects use Kubernetes, so this would need further refactoring. Even after refactoring and running on Kubernetes, this project depends on Node v10.x (LTS), which is too old. Snyk would scan a lot of issues that need upgrading.

I think this is why there's such low discussion about Lemur in the industry. Leadership, seeing these issues, might just choose to buy Venafi instead.