I think my bug writeup on #3120 is less than wonderful but I wanted to point it
up to the list here in hope of inspiring further comment.
The situation is that I followed first Ohad's doc on PuppetScalability, then
Jeff McCune's MultipleCertificateAuthorities writeup, to no avail. I tried both
following the directions and then tweaking things which seemed to be wrong (of
which #3120 is one offshoot) and got no love. Puppet doesn't seem to want to
verify a multi-level cert, even when all the CA certificates are available to
it concatenated together in $ssldir/certs/ca.crt. ('openssl verify -CAfile
ca.crt' returns OK)
Ultimately I gave up, like Paul L's thread "SSL Makes My Brain Bleed", my brain
bled too and I ended up following his hard-fought wisdom from
http://groups.google.com/group/puppet-users/msg/89b75ebe91c5985b
I.e. Setup one host to be the CA, set ca=false on the other puppetmasters, and
use puppetd --ca_server=puppetca on initial run to point the clients at it. I
sort of feel like I should have done this last week and saved much
tooth-gnashing.
So my question to the larger audience is, has *anybody* really gotten this to
work? Both the wiki docs are kind of old and, at least in
MultipleCertificateAuthorities case, have some pretty serious caveats, like
"This isn't working". Even Ohad's setup says "Please note that webrick is at
this time (0.24.4) unable to handle the certs in a correct way to get this
setup working."
Thanks
-=Eric
--
death needs time for what it kills to grow in
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
