On Thu, Jun 14, 2012 at 12:55 PM, Scott Merrill wrote:
Yeah, so it confirms so far they are only valid client certs.
What's the result of the following command on sub-master and master?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pemThe output is the same on both the top-level and subordinate master:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 15 18:40:44 2012 GMT
Not After : May 15 18:40:44 2017 GMT
Subject: CN=Puppet CA: nlvmjt036.nwideweb.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
<-snip->
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 29 01:45:38 2012 GMT
Not After : May 29 01:45:38 2017 GMT
Subject: CN=subordinate-master-1.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:subordinate-master-1.domain, DNS:puppetmaster.domain
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
<-snip->
Thanks,
Scott
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu wrote:
/var/lib/puppet/ssl/certs/ca.pem
You're asking me? I'm the one looking for help! ;)On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill wrote:
On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
Shouldn't the last line also be?On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu wrote:
key as the top-level master.
This sounds like it may be the piece I've been missing.On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill wrote:
If I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
You want to make sure the subordinate master present the same CA pubIf I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
key as the top-level master.
On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/certs/ca.pem
sub-master:
puppet agent -t --server sub-master --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.puppet agent -t --server sub-master --ca_server master
What's the result of the following command on sub-master and master?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 15 18:40:44 2012 GMT
Not After : May 15 18:40:44 2017 GMT
Subject: CN=Puppet CA: nlvmjt036.nwideweb.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
<-snip->
What's the output of the following on the submaster?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem
Certificate:openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 29 01:45:38 2012 GMT
Not After : May 29 01:45:38 2017 GMT
Subject: CN=subordinate-master-1.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:subordinate-master-1.domain, DNS:puppetmaster.domain
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
<-snip->
Thanks,
Scott
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
that we recommend for the process here -->
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html If
you're using them and there are things going wrong, PLEASE let us know
what steps have fallen through so we can get that cleared up ASAP! If
you've not seen the docs, you might want to check the process we
suggested and see if there's something you did that differs.
--
Gary Larizza
Professional Services Engineer
Puppet Labs
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
