On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu wrote:
On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill wrote:
If I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
You want to make sure the subordinate master present the same CA pub
key as the top-level master.
This sounds like it may be the piece I've been missing.

On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

On my subordinate masters, I have:
SSLCertificateFile /var/lib/puppet/ssl/certs/subordinate-master.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

On the subordinate masters, the ca.pem referenced in the
SSLCertificateChainFile and SSLCACertificateFile is the same as the
top-level master's SSLCertificateChainFile.

I copied ca_crt.pem from the top-level master to the subordinate
master, and updated the SSLCACertificateFile to point to it. The node
still fails with the same error message.

Perhaps I'm not fully understanding you. Do I need each subordinate
master to use the same public _and_ private key as the CA?
Subordinate masters can function as clients of the top-level Master
successfully, so their certificates are installed and signed
correctly, at least for the agent context.
You only verified they have a working client cert, not that it's
presenting the correct CA pub key or server cert. An easy test is to
connect the subordinate master to itself and see if that works.

I would run the following tests:

puppet agent -t --server sub-master --ca_server master
This is essentially the test I've been performing using /etc/hosts
entries to point to a specific subordinate master. Using an explicit
"--server" argument does not produce different results on the node: it
puppet agent -t --server sub-master  --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.


You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 7 of 16 | next ›
Discussion Overview
grouppuppet-users @
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a



site design / logo © 2022 Grokbase