On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu <n...@puppetlabs.com> wrote:
> On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill <ski...@skippy.net> wrote:
>> On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu <n...@puppetlabs.com> wrote:
>>> On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill <ski...@skippy.net> wrote:
>>>> If I point that node to my top-level Master (via entry in /etc/hosts),
>>>> the `puppet agent --test --noop` invocation works without error.
>>>
>>> You want to make sure the subordinate master present the same CA pub
>>> key as the top-level master.
>>
>> This sounds like it may be the piece I've been missing.
>>
>> On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
>> SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
>> SSLCertificateKeyFile
>> /var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
>> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
>> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>
> Shouldn't the last line also be?
> /var/lib/puppet/ssl/certs/ca.pem
You're asking me? I'm the one looking for help! ;)
>>> sub-master:
>>> puppet agent -t --server sub-master --ca_server master
>>
>> I had not tried this test. Doing so fails in the same way that the client
>> fails.
>
> Yeah, so it confirms so far they are only valid client certs.
>
> What's the result of the following command on sub-master and master?
> openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem
The output is the same on both the top-level and subordinate master:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 15 18:40:44 2012 GMT
Not After : May 15 18:40:44 2017 GMT
Subject: CN=Puppet CA: nlvmjt036.nwideweb.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
<-snip->
> What's the output of the following on the submaster?
> openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/subordinate-master.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: top-level-master.domain
Validity
Not Before: May 29 01:45:38 2012 GMT
Not After : May 29 01:45:38 2017 GMT
Subject: CN=subordinate-master-1.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
<-snip->
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:subordinate-master-1.domain, DNS:puppetmaster.domain
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
<-snip->
Thanks,
Scott
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
