Thanks I realised that when I sent it. Dialled back the CA to:-
Listen 18140
<VirtualHost *:18140>
SSLEngine off
ServerName <CA FQDN>
RackAutoDetect On
DocumentRoot /etc/puppet/rack/puppetmaster/public/
<Directory /etc/puppet/rack/puppetmaster/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Now clients are getting cert requests signed but not going any further
info: Creating a new SSL key for <CLIENT FQDN>
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for <CLIENT FQDN>
info: Certificate Request fingerprint (md5): 51:D6:6B:58:EA:CC:
11:14:4B:48:E1:B4:C1:8B:A5:A6
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for <CLIENT FQDN>
info: Retrieving plugin
err: /File[/var/lib/puppet/plugins]: Failed to generate additional
resources using 'eval_generate: certificate verify failed. This is
often because the time is out of sync on the server or client
err: /File[/var/lib/puppet/plugins]: Could not evaluate: certificate
verify failed. This is often because the time is out of sync on the
server or client Could not retrieve file metadata for puppet://<LOAD
BALANCER FQDN>
/plugins: certificate verify failed. This is often because the time
is out of sync on the server or client
err: Could not retrieve catalog from remote server: certificate verify
failed. This is often because the time is out of sync on the server
or client
warning: Not using cache on failed catalog
I know the time is in sync OK
Certs look the same.
On CA:-
# openssl x509 -text -noout -in <CLIENT FQDN>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: <CAFQDN>
Validity
Not Before: Dec 15 15:29:00 2011 GMT
Not After : Dec 9 15:29:00 2036 GMT
Subject: CN=<CLIENT FQDN>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ad:62:d2:47:05:33:94:e2:5c:55:c1:e4:c4:7b:
27:7d:21:ec:0b:34:29:39:4f:56:1c:81:9f:94:3d:
9c:4c:ed:b0:ae:6b:82:85:d9:2f:3f:c9:bc:9a:31:
3d:5b:e7:d0:f9:19:7c:71:e0:ad:7f:18:fa:fe:53:
38:d2:35:67:d6:e6:dd:f8:df:fc:3c:46:ae:50:b1:
7b:66:04:a1:39:b3:bf:55:39:2e:47:ad:ee:59:ae:
17:36:43:2b:76:c3:ad:90:5e:03:67:aa:7e:8e:9e:
ca:1a:19:c6:3f:2e:c0:ea:33:bc:2a:01:63:2b:85:
e5:b1:4a:75:ff:0f:8b:b2:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
C7:AB:D6:D1:DC:D9:30:E6:0B:DE:60:4E:FB:25:37:AF:7F:
43:E1:B7
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client
Authentication
Signature Algorithm: sha1WithRSAEncryption
00:dc:82:79:6b:2f:30:2c:e2:8b:9d:52:78:6f:e7:86:56:8c:
98:7f:3a:46:8a:86:49:12:de:e7:2e:c3:d9:ed:96:e6:5e:1e:
fe:0d:cc:86:ed:86:2e:44:13:c3:4b:ec:e7:3c:9a:1d:bf:2d:
07:a5:c7:65:dc:ec:10:80:85:f5:de:25:83:8b:66:4f:46:17:
73:97:5d:1b:8c:9e:1c:bc:7a:51:5a:11:d7:b4:75:21:44:0b:
39:29:06:77:51:9a:b0:3f:5b:80:6b:6d:13:99:ed:6a:7d:35:
c2:0c:6c:f2:98:f0:d1:f0:4f:ed:d6:53:98:7c:8a:5b:07:4a:
54:e0
On client:-
# openssl x509 -text -noout -in <CLIENT FQDN>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: <CA FQDN>
Validity
Not Before: Dec 15 15:29:00 2011 GMT
Not After : Dec 9 15:29:00 2036 GMT
Subject: CN=<CLIENT FQDN>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ad:62:d2:47:05:33:94:e2:5c:55:c1:e4:c4:7b:
27:7d:21:ec:0b:34:29:39:4f:56:1c:81:9f:94:3d:
9c:4c:ed:b0:ae:6b:82:85:d9:2f:3f:c9:bc:9a:31:
3d:5b:e7:d0:f9:19:7c:71:e0:ad:7f:18:fa:fe:53:
38:d2:35:67:d6:e6:dd:f8:df:fc:3c:46:ae:50:b1:
7b:66:04:a1:39:b3:bf:55:39:2e:47:ad:ee:59:ae:
17:36:43:2b:76:c3:ad:90:5e:03:67:aa:7e:8e:9e:
ca:1a:19:c6:3f:2e:c0:ea:33:bc:2a:01:63:2b:85:
e5:b1:4a:75:ff:0f:8b:b2:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
C7:AB:D6:D1:DC:D9:30:E6:0B:DE:60:4E:FB:25:37:AF:7F:
43:E1:B7
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client
Authentication
Signature Algorithm: sha1WithRSAEncryption
00:dc:82:79:6b:2f:30:2c:e2:8b:9d:52:78:6f:e7:86:56:8c:
98:7f:3a:46:8a:86:49:12:de:e7:2e:c3:d9:ed:96:e6:5e:1e:
fe:0d:cc:86:ed:86:2e:44:13:c3:4b:ec:e7:3c:9a:1d:bf:2d:
07:a5:c7:65:dc:ec:10:80:85:f5:de:25:83:8b:66:4f:46:17:
73:97:5d:1b:8c:9e:1c:bc:7a:51:5a:11:d7:b4:75:21:44:0b:
39:29:06:77:51:9a:b0:3f:5b:80:6b:6d:13:99:ed:6a:7d:35:
c2:0c:6c:f2:98:f0:d1:f0:4f:ed:d6:53:98:7c:8a:5b:07:4a:
54:e0
So now I am really puzzled :(
Cheers
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
