FAQ

On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill wrote:
On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu wrote:
On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill wrote:
If I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
You want to make sure the subordinate master present the same CA pub
key as the top-level master.
This sounds like it may be the piece I've been missing.

On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
Shouldn't the last line also be?
/var/lib/puppet/ssl/certs/ca.pem
On my subordinate masters, I have:
SSLCertificateFile /var/lib/puppet/ssl/certs/subordinate-master.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/subordinate-master.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

On the subordinate masters, the ca.pem referenced in the
SSLCertificateChainFile and SSLCACertificateFile is the same as the
top-level master's SSLCertificateChainFile.

I copied ca_crt.pem from the top-level master to the subordinate
master, and updated the SSLCACertificateFile to point to it. The node
still fails with the same error message.

Perhaps I'm not fully understanding you. Do I need each subordinate
master to use the same public _and_ private key as the CA?
Subordinate masters can function as clients of the top-level Master
successfully, so their certificates are installed and signed
correctly, at least for the agent context.
You only verified they have a working client cert, not that it's
presenting the correct CA pub key or server cert. An easy test is to
connect the subordinate master to itself and see if that works.

I would run the following tests:

client:
puppet agent -t --server sub-master --ca_server master
This is essentially the test I've been performing using /etc/hosts
entries to point to a specific subordinate master. Using an explicit
"--server" argument does not produce different results on the node: it
fails.
sub-master:
puppet agent -t --server sub-master  --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.
Yeah, so it confirms so far they are only valid client certs.

What's the result of the following command on sub-master and master?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem

What's the output of the following on the submaster?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem

Nan

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 8 of 16 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a
posts16
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase