FAQ

On Thu, Jun 14, 2012 at 10:55 AM, Scott Merrill wrote:
On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu wrote:
On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill wrote:
On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu wrote:
On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill wrote:
If I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
You want to make sure the subordinate master present the same CA pub
key as the top-level master.
This sounds like it may be the piece I've been missing.

On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
Shouldn't the last line also be?
/var/lib/puppet/ssl/certs/ca.pem
You're asking me?  I'm the one looking for help!  ;)

sub-master:
puppet agent -t --server sub-master  --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.
Yeah, so it confirms so far they are only valid client certs.

What's the result of the following command on sub-master and master?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem
The output is the same on both the top-level and subordinate master:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 15 18:40:44 2012 GMT
Not After : May 15 18:40:44 2017 GMT
Subject: CN=Puppet CA: nlvmjt036.nwideweb.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
<-snip->
So normally for self signed CA the issuer and subject is the same. In
this case you are issuing the certs via:
CN=Puppet CA: top-level-master.domain

However you are asking the system to verify against a CA cert that
presents the subject as:
CN=Puppet CA: nlvmjt036.nwideweb.net

So you can you locate your CA cert with the subject?
Subject: CN=Puppet CA: top-level-master.domain

This is the CA.pem file that should be used.

Nan

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 12 of 16 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a
posts16
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase