On Fri, 2011-12-16 at 07:53 -0800, ollies...@googlemail.com wrote: > Thanks I realised that when I sent it. Dialled back the CA to:- > Listen 18140 > <VirtualHost *:18140> > SSLEngine off > ServerName <CA FQDN> > RackAutoDetect On > DocumentRoot /etc/puppet/rack/puppetmaster/public/ > <Directory /etc/puppet/rack/puppetmaster/> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > </VirtualHost> > > Now clients are getting cert requests signed but not going any further > info: Creating a new SSL key for <CLIENT FQDN> > warning: peer certificate won't be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > info: Creating a new SSL certificate request for <CLIENT FQDN> > info: Certificate Request fingerprint (md5): 51:D6:6B:58:EA:CC: > 11:14:4B:48:E1:B4:C1:8B:A5:A6 > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > info: Caching certificate for <CLIENT FQDN> > info: Retrieving plugin > err: /File[/var/lib/puppet/plugins]: Failed to generate additional > resources using 'eval_generate: certificate verify failed. This is > often because the time is out of sync on the server or client > err: /File[/var/lib/puppet/plugins]: Could not evaluate: certificate > verify failed. This is often because the time is out of sync on the > server or client Could not retrieve file metadata for puppet://<LOAD > BALANCER FQDN> > /plugins: certificate verify failed. This is often because the time > is out of sync on the server or client > err: Could not retrieve catalog from remote server: certificate verify > failed. This is often because the time is out of sync on the server > or client > warning: Not using cache on failed catalog
OK, so when it tried to pluginsync it complained the server certificate could not be verified. Are you sure the puppetmaster _server_ certificate has been signed by the same CA as this node _client_ certificate. In other words is the following working: openssl s_client -host puppet -port 8140 \ -CAfile /var/lib/puppet/ssl/certs/ca.pem \ -cert /var/lib/puppet/ssl/certs/<CLIENT FQDN>.pem \ -key /var/lib/puppet/ssl/private_keys/<CLIENT FQDN>.pem If not, it might give you more information (especially with -debug). Also, it might be worth checking on the apache error log. > I know the time is in sync OK > > Certs look the same. To be really sure compare the certificate fingerprints. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
