On Thu, Jun 14, 2012 at 10:55 AM, Scott Merrill <ski...@skippy.net> wrote: > On Thu, Jun 14, 2012 at 1:34 PM, Nan Liu <n...@puppetlabs.com> wrote: >> On Thu, Jun 14, 2012 at 10:12 AM, Scott Merrill <ski...@skippy.net> wrote: >>> On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu <n...@puppetlabs.com> wrote: >>>> On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill <ski...@skippy.net> wrote: >>>>> If I point that node to my top-level Master (via entry in /etc/hosts), >>>>> the `puppet agent --test --noop` invocation works without error. >>>> >>>> You want to make sure the subordinate master present the same CA pub >>>> key as the top-level master. >>> >>> This sounds like it may be the piece I've been missing. >>> >>> On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf: >>> SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem >>> SSLCertificateKeyFile >>> /var/lib/puppet/ssl/private_keys/top-level-master.domain.pem >>> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >>> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem >> >> Shouldn't the last line also be? >> /var/lib/puppet/ssl/certs/ca.pem > > You're asking me? I'm the one looking for help! ;) > > >>>> sub-master: >>>> puppet agent -t --server sub-master --ca_server master >>> >>> I had not tried this test. Doing so fails in the same way that the client >>> fails. >> >> Yeah, so it confirms so far they are only valid client certs. >> >> What's the result of the following command on sub-master and master? >> openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem > > The output is the same on both the top-level and subordinate master: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: CN=Puppet CA: top-level-master.domain > Validity > Not Before: May 15 18:40:44 2012 GMT > Not After : May 15 18:40:44 2017 GMT > Subject: CN=Puppet CA: nlvmjt036.nwideweb.net > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > <-snip-> > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE > Netscape Comment: > Puppet Ruby/OpenSSL Internal Certificate > X509v3 Key Usage: critical > Certificate Sign, CRL Sign > X509v3 Subject Key Identifier: > F6:65:DC:F3:D7:A6:7F:C3:4C:BC:C3:72:A3:39:E3:4D:AA:F9:46:1D > <-snip->
So normally for self signed CA the issuer and subject is the same. In this case you are issuing the certs via: CN=Puppet CA: top-level-master.domain However you are asking the system to verify against a CA cert that presents the subject as: CN=Puppet CA: nlvmjt036.nwideweb.net So you can you locate your CA cert with the subject? Subject: CN=Puppet CA: top-level-master.domain This is the CA.pem file that should be used. Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
