On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill <ski...@skippy.net> wrote: > On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu <n...@puppetlabs.com> wrote: >> On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill <ski...@skippy.net> wrote: >>> If I point that node to my top-level Master (via entry in /etc/hosts), >>> the `puppet agent --test --noop` invocation works without error. >> >> You want to make sure the subordinate master present the same CA pub >> key as the top-level master. > > This sounds like it may be the piece I've been missing. > > On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf: > SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/top-level-master.domain.pem > SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
Shouldn't the last line also be? /var/lib/puppet/ssl/certs/ca.pem > On my subordinate masters, I have: > SSLCertificateFile /var/lib/puppet/ssl/certs/subordinate-master.pem > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/subordinate-master.pem > SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem > SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem > > On the subordinate masters, the ca.pem referenced in the > SSLCertificateChainFile and SSLCACertificateFile is the same as the > top-level master's SSLCertificateChainFile. > > I copied ca_crt.pem from the top-level master to the subordinate > master, and updated the SSLCACertificateFile to point to it. The node > still fails with the same error message. > > Perhaps I'm not fully understanding you. Do I need each subordinate > master to use the same public _and_ private key as the CA? > >>> Subordinate masters can function as clients of the top-level Master >>> successfully, so their certificates are installed and signed >>> correctly, at least for the agent context. >> >> You only verified they have a working client cert, not that it's >> presenting the correct CA pub key or server cert. An easy test is to >> connect the subordinate master to itself and see if that works. >> >> I would run the following tests: >> >> client: >> puppet agent -t --server sub-master --ca_server master > > This is essentially the test I've been performing using /etc/hosts > entries to point to a specific subordinate master. Using an explicit > "--server" argument does not produce different results on the node: it > fails. > >> sub-master: >> puppet agent -t --server sub-master --ca_server master > > I had not tried this test. Doing so fails in the same way that the client > fails. Yeah, so it confirms so far they are only valid client certs. What's the result of the following command on sub-master and master? openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem What's the output of the following on the submaster? openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
