Well I know I have to do something besides setting ca_server on Server 3 because it's not working
On Mon, Nov 10, 2008 at 9:54 PM, Ohad Levy <[EMAIL PROTECTED]> wrote: > I'm not sure you need that, if your certificate are not chained... > Server B should point to the same ca_server as server C. > > Hope it helps, > Ohad > > > On Tue, Nov 11, 2008 at 8:00 AM, Eugene Ventimiglia <[EMAIL PROTECTED]>wrote: > >> Thanks - Your assumptions are correct. >> >> I have the following setup: >> >> Server A is the Puppetmaster for Server B >> Server B is the Puppetmaster for Server C >> >> Server C has ca_server pointing to Server A >> >> I believe that Server B's cert is signed by Server A, since Server B is >> able to get it's configs from Server A... >> >> How do I get Server A's public cert into the CA file of Server B? >> >> >> On Mon, Nov 10, 2008 at 5:27 PM, RijilV <[EMAIL PROTECTED]> wrote: >> >>> On 10 November 2008 14:04, Eugene Ventimiglia <[EMAIL PROTECTED]> wrote: >>> >>>> I'm having difficulty getting my head around some CA issues >>>> My client has: >>>> [puppetd] >>>> ca_server=puppetca.mydomain.com >>>> >>>> and puppet resolves to a different machine. >>>> when puppet connects, it requests a signature from >>>> puppetca.mydomain.com but then on the next pass fails with the >>>> following: >>>> >>>> err: Could not retrieve catalog: Certificates were not trusted: >>>> SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert >>>> unknown ca >>>> >>>> Is there something I have to do on the puppetmaster to tell it about the >>>> other CA? >>>> --e >>>> >>>> >>> Hrm, not sure I have enough information to help you out here. I'm going >>> to make the following assumptions, please correct me if I'm wrong. >>> >>> puppetca: creates puppet client certs >>> puppetmaster: another puppet master cert >>> puppet client: created from the puppetca >>> >>> When the puppet client gets the cert from the puppetca, then tries to >>> talk to the puppetmaster, it fails because the puppetmaster doesn't trust >>> the client, and the client doesn't trust the puppetmaster. What you need to >>> do is make sure the puppetmaster cert is signed by the puppetca (that will >>> get the client trusting the master) and make sure the public cert of the >>> puppetca is in the CA file on the puppetmaster (so it will trust the >>> client). >>> >>> >>> .r' >>> >>> >>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
