On 10 November 2008 14:04, Eugene Ventimiglia <[EMAIL PROTECTED]> wrote:
> I'm having difficulty getting my head around some CA issues > My client has: > [puppetd] > ca_server=puppetca.mydomain.com > > and puppet resolves to a different machine. > when puppet connects, it requests a signature from puppetca.mydomain.combut > then on the next pass fails with the following: > > err: Could not retrieve catalog: Certificates were not trusted: SSL_connect > returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert unknown ca > > Is there something I have to do on the puppetmaster to tell it about the > other CA? > --e > > Hrm, not sure I have enough information to help you out here. I'm going to make the following assumptions, please correct me if I'm wrong. puppetca: creates puppet client certs puppetmaster: another puppet master cert puppet client: created from the puppetca When the puppet client gets the cert from the puppetca, then tries to talk to the puppetmaster, it fails because the puppetmaster doesn't trust the client, and the client doesn't trust the puppetmaster. What you need to do is make sure the puppetmaster cert is signed by the puppetca (that will get the client trusting the master) and make sure the public cert of the puppetca is in the CA file on the puppetmaster (so it will trust the client). .r' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
