<snip>
> So I think I understand, what you are saying is that the client
> refuses to accept the PuppetDB's server certificate, because its not
> signed by its own CA? This is not a client certificate thing, my point
> is - purely server side certs. Right? Because your PuppetDB's server
> cert is signed with a more global different CA, it doesn't work yeah?
>
That's exactly right, yeah. No client certs, just an issue with different
CA being used for the puppetdb server cert. (I probably could have put
this more concisely from the beginning!)
> > It would be really nice if there was a way to say "hey, puppet[master]
> for
> > your outbound https connections, here's a ca-bundle.pem you can use to
> > verify servers". The idea that we'd use the puppetmaster CA *seems*
> wrong
> > here. Especially in an environment like ours where we have many
> (dozens) of
> > puppetmasters that each manage their own little ecosystems. (And we
> don't
> > really want to force a single CA.)
>
> Yeah, its wrong in your multi-CA scenario for sure. We totally just
> use the HTTP libraries Puppet provides us and all its cert
> assumptions, for simplicity I guess. At least, it works for single-CA
> scenarios just fine.
>
> We could look into providing a feature for this probably. The change
> would probably need to occur in the puppetdb-terminus code and an
> option added to /etc/puppet/puppetdb.conf most probably.
>
> Although if Puppet itself supported multiple CA bundles, this wouldn't
> happen - I think the fix is more elegant in Puppet as all
> clients/termini/plugins using their HTTP libraries would just work for
> multi-ca without each one having to do its own thing.
>
>
What you're saying makes perfect sense -- regarding this being something
that the puppetdb-terminus stuff does and making it an option in
puppetdb.conf, etc.
Yeah, I'm looking through the code (doesn't help that my knowledge of Ruby
is very limited) and I see that the http_pool.rb configures the ssl stuff
setting ca_cert = Puppet[:localcacert]. That defaults to
$certdir/certs/ca.pem. I've tried also explicitly specifying it in the
config file, but to no avail. I still get the verify failure, although
doing this manually in irb is working:
require 'net/https'
http = Net::HTTP.new('puppetdb.<domain>', 443)
http.use_ssl = true
http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem'
# (I concatenated the global CA onto the end of ca.pem)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.send('get', '/')
#<Net::HTTPFound 302 Found readbody=true>
I validated that pointing at the original ca.pem file fails as expected.
So I'm a little confused as to why puppetmaster isn't succeeding after I
modified that file. Perhaps there's some additional verification
happening. I'll probably give up soon :)
Thanks again-
Hans
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9e2c238a-1c58-4e43-87fd-b29eb817209c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
