FAQ

On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu wrote:
On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill wrote:
On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu wrote:
On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill wrote:
If I point that node to my top-level Master (via entry in /etc/hosts),
the `puppet agent --test --noop` invocation works without error.
You want to make sure the subordinate master present the same CA pub
key as the top-level master.
This sounds like it may be the piece I've been missing.

On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
Shouldn't the last line also be?
/var/lib/puppet/ssl/certs/ca.pem
You're asking me? I'm the one looking for help! ;)

sub-master:
puppet agent -t --server sub-master  --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.
Yeah, so it confirms so far they are only valid client certs.

What's the result of the following command on sub-master and master?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem
The output is the same on both the top-level and subordinate master:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 15 18:40:44 2012 GMT
Not After : May 15 18:40:44 2017 GMT
Subject: CN=Puppet CA: nlvmjt036.nwideweb.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
<-snip->
What's the output of the following on the submaster?
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 29 01:45:38 2012 GMT
Not After : May 29 01:45:38 2017 GMT
Subject: CN=subordinate-master-1.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:subordinate-master-1.domain, DNS:puppetmaster.domain
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
<-snip->

Thanks,
Scott

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 9 of 16 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a
posts16
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase