Hi,
I'm trying to develop a manifest to setup a new puppet master. To solve
the SSL certificates I've created a root CA outside of puppet, and have
generated an intermediate CA for the new puppet master to use. I've also
configured my puppetmaster daemon to use it's own ssl directory. So the
new puppetmaster is at the same time a client of the old puppet master
using the old puppet managed CA on that machine, and a puppet master
using this new hybrid CA (1) scheme.
However when I get SSL errors when the puppet client joins. The initial
join seems to works, I successfully do 'puppetca --sign', and I find on
the client that appropriate keys and certs have appeared under
/var/lib/puppet/ssl.
However when I run 'puppetd --test', I get errors:
geo...@chiraz-60:~/tmp$ sudo puppetd --test --color=false
info: Loading fact raidcontroller
info: Loading fact raidtype
info: Retrieving plugins
warning: Certificate validation failed; considering using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
during transaction: Certificates were not trusted: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed
warning: Certificate validation failed; considering using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: Certificates were not trusted: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed Could
not describe /plugins: Certificates were not trusted: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed
info: Loading fact raidcontroller
info: Loading fact raidtype
warning: Certificate validation failed; considering using the certname
configuration option
err: Could not retrieve catalog: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
warning: Not using cache on failed catalog
Anyone know how I can arrange for the puppet client to successfully
trust the masters certificate?
(1) By hybrid I mean that the puppet masters certificate and private key
have been generated by me, but I want the puppet master to act as the CA
like it normally does for the puppet clients that connect to it.
--
+-Geoff Crompton
+--Debian System Administrator
+---Trinity College
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
