On Thu, Jun 14, 2012 at 12:55 PM, Scott Merrill <ski...@skippy.net> wrote: > On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu <n...@puppetlabs.com> wrote: >> On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill <ski...@skippy.net> wrote: >>> On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu <n...@puppetlabs.com> wrote: >>>> On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill <ski...@skippy.net> wrote: >>>>> If I point that node to my top-level Master (via entry in /etc/hosts), >>>>> the `puppet agent --test --noop` invocation works without error. >>>> >>>> You want to make sure the subordinate master present the same CA pub >>>> key as the top-level master. >>> >>> This sounds like it may be the piece I've been missing. >>> >>> On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf: >>> SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem >>> SSLCertificateKeyFile >>> /var/lib/puppet/ssl/private_keys/top-level-master.domain.pem >>> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >>> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem >> >> Shouldn't the last line also be? >> /var/lib/puppet/ssl/certs/ca.pem > > You're asking me? I'm the one looking for help! ;) > > >>>> sub-master: >>>> puppet agent -t --server sub-master --ca_server master >>> >>> I had not tried this test. Doing so fails in the same way that the client >>> fails. >> >> Yeah, so it confirms so far they are only valid client certs. >> >> What's the result of the following command on sub-master and master? >> openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem > > The output is the same on both the top-level and subordinate master: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: CN=Puppet CA: top-level-master.domain > Validity > Not Before: May 15 18:40:44 2012 GMT > Not After : May 15 18:40:44 2017 GMT > Subject: CN=Puppet CA: nlvmjt036.nwideweb.net > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > <-snip-> > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE > Netscape Comment: > Puppet Ruby/OpenSSL Internal Certificate > X509v3 Key Usage: critical > Certificate Sign, CRL Sign > X509v3 Subject Key Identifier: > F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D > <-snip-> > >> What's the output of the following on the submaster? >> openssl x509 -text -noout -in >> /var/lib/puppet/ssl/certs/subordinate-master.pem > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 9 (0x9) > Signature Algorithm: sha1WithRSAEncryption > Issuer: CN=Puppet CA: top-level-master.domain > Validity > Not Before: May 29 01:45:38 2012 GMT > Not After : May 29 01:45:38 2017 GMT > Subject: CN=subordinate-master-1.domain > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > <-snip-> > X509v3 extensions: > X509v3 Subject Alternative Name: > DNS:subordinate-master-1.domain, DNS:puppetmaster.domain > X509v3 Basic Constraints: critical > CA:FALSE > Netscape Comment: > Puppet Ruby/OpenSSL Internal Certificate > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Subject Key Identifier: > F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D > X509v3 Extended Key Usage: critical > TLS Web Server Authentication, TLS Web Client Authentication > <-snip-> > > Thanks, > Scott > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >
Please DO NOT take this as RTFM, but have you checked out the docs that we recommend for the process here --> http://docs.puppetlabs.com/guides/scaling_multiple_masters.html If you're using them and there are things going wrong, PLEASE let us know what steps have fallen through so we can get that cleared up ASAP! If you've not seen the docs, you might want to check the process we suggested and see if there's something you did that differs. -- Gary Larizza Professional Services Engineer Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
