I'm not sure you need that, if your certificate are not chained... Server B should point to the same ca_server as server C.
Hope it helps, Ohad On Tue, Nov 11, 2008 at 8:00 AM, Eugene Ventimiglia <[EMAIL PROTECTED]>wrote: > Thanks - Your assumptions are correct. > > I have the following setup: > > Server A is the Puppetmaster for Server B > Server B is the Puppetmaster for Server C > > Server C has ca_server pointing to Server A > > I believe that Server B's cert is signed by Server A, since Server B is > able to get it's configs from Server A... > > How do I get Server A's public cert into the CA file of Server B? > > > On Mon, Nov 10, 2008 at 5:27 PM, RijilV <[EMAIL PROTECTED]> wrote: > >> On 10 November 2008 14:04, Eugene Ventimiglia <[EMAIL PROTECTED]> wrote: >> >>> I'm having difficulty getting my head around some CA issues >>> My client has: >>> [puppetd] >>> ca_server=puppetca.mydomain.com >>> >>> and puppet resolves to a different machine. >>> when puppet connects, it requests a signature from >>> puppetca.mydomain.com but then on the next pass fails with the >>> following: >>> >>> err: Could not retrieve catalog: Certificates were not trusted: >>> SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert >>> unknown ca >>> >>> Is there something I have to do on the puppetmaster to tell it about the >>> other CA? >>> --e >>> >>> >> Hrm, not sure I have enough information to help you out here. I'm going >> to make the following assumptions, please correct me if I'm wrong. >> >> puppetca: creates puppet client certs >> puppetmaster: another puppet master cert >> puppet client: created from the puppetca >> >> When the puppet client gets the cert from the puppetca, then tries to talk >> to the puppetmaster, it fails because the puppetmaster doesn't trust the >> client, and the client doesn't trust the puppetmaster. What you need to do >> is make sure the puppetmaster cert is signed by the puppetca (that will get >> the client trusting the master) and make sure the public cert of the >> puppetca is in the CA file on the puppetmaster (so it will trust the >> client). >> >> >> .r' >> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
