On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu wrote:
/var/lib/puppet/ssl/certs/ca.pem
On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill wrote:
On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
Shouldn't the last line also be?On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu wrote:
key as the top-level master.
This sounds like it may be the piece I've been missing.On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill wrote:
If I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
You want to make sure the subordinate master present the same CA pubIf I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
key as the top-level master.
On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/certs/ca.pem
sub-master:
puppet agent -t --server sub-master --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.puppet agent -t --server sub-master --ca_server master
What's the result of the following command on sub-master and master?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 15 18:40:44 2012 GMT
Not After : May 15 18:40:44 2017 GMT
Subject: CN=Puppet CA: nlvmjt036.nwideweb.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
<-snip->
What's the output of the following on the submaster?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem
Certificate:openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 29 01:45:38 2012 GMT
Not After : May 29 01:45:38 2017 GMT
Subject: CN=subordinate-master-1.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:subordinate-master-1.domain, DNS:puppetmaster.domain
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
<-snip->
Thanks,
Scott
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.