Have you perhaps revoked a certificate off one CA that matched the serial number issued by another? And perhaps the second CA issued that particular serial number to the puppet server itself?
No, I haven't done this myself, why do you ask? *whistles tunelessly* https://projects.puppetlabs.com/issues/4948 On Nov 29, 2010, at 1:44 PM, Alan Barrett wrote: > On Mon, 29 Nov 2010, Patrick wrote: >>> So, it seems that the puppetd client is doing something different from >>> the "openssl s_client" command used for testing. What certificate is >>> the puppetd client attempting to present, and how can I change that? >> >> Run this on the client for the config puppet is using: >> puppetd --genconfig > > I use that all the time. The file names that I passed to "openssl > s_client" are identical to those reported by "puppetd --genconfig". > > Whether or not the clientcrl file (ca_crl.pem) exists seems to have > something to do with the problem but I haven't figured out the details. > If I delete that file, then the puppetd client can connect, and it > downloads a fresh copy of the CRL, after which it can no longer connect. > I have configured certificate_revocation=false on the server, but it > nevertheless sends the CRL file to the client. > > --apb (Alan Barrett) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > - Eric Sorenson - N37 17.255 W121 55.738 - http://twitter.com/ahpook - -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
