On Thu, Jun 14, 2012 at 12:30 PM, Scott Merrill wrote:
On Thu, Jun 14, 2012 at 3:13 PM, Nan Liu wrote:
So normally for self signed CA the issuer and subject is the same. In
this case you are issuing the certs via:
CN=Puppet CA: top-level-master.domain

However you are asking the system to verify against a CA cert that
presents the subject as:
CN=Puppet CA: nlvmjt036.nwideweb.net
Well that's what I get for trying to sanitize the output before
posting to the list.  nlvmjt036 is the name of my top-level master.
So you can you locate your CA cert with the subject?
Subject: CN=Puppet CA: top-level-master.domain
On my top-level master:
# diff -s /var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem
Files /var/lib/puppet/ssl/ca/ca_crt.pem and
/var/lib/puppet/ssl/certs/ca.pem are identical

As mentioned previously, the top-level master's
/var/lib/puppet/ssl/certs/ca.pem file is identical to the subordinate
master's /var/lib/puppet/ssl/certs/ca.pem file.
Ok, that should be correct. The minor things I can think of is to
verify CA.pem file permission and verify agent cert issuer.

A few other thing you can try is to run the web brick server and run
puppet master --debug --no-daemonize on the sub master and see if that
give any more info. You can also try enabling CA on the sub-master and
check what you get back from another test client and see what you
receive the right CA file on initial connection and what CA cert signs
that client's CSR. That's all I can think of.



You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 14 of 16 | next ›
Discussion Overview
grouppuppet-users @
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a



site design / logo © 2022 Grokbase