> What you're saying makes perfect sense -- regarding this being something > that the puppetdb-terminus stuff does and making it an option in > puppetdb.conf, etc. > > Yeah, I'm looking through the code (doesn't help that my knowledge of Ruby > is very limited) and I see that the http_pool.rb configures the ssl stuff > setting ca_cert = Puppet[:localcacert]. That defaults to > $certdir/certs/ca.pem. I've tried also explicitly specifying it in the > config file, but to no avail. I still get the verify failure, although doing > this manually in irb is working: > > require 'net/https' > http = Net::HTTP.new('puppetdb.<domain>', 443) > http.use_ssl = true > http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem' > # (I concatenated the global CA onto the end of ca.pem) > http.verify_mode = OpenSSL::SSL::VERIFY_PEER > http.send('get', '/') > #<Net::HTTPFound 302 Found readbody=true> > > I validated that pointing at the original ca.pem file fails as expected. So > I'm a little confused as to why puppetmaster isn't succeeding after I > modified that file. Perhaps there's some additional verification happening. > I'll probably give up soon :)
Can you capture your feature requirements in redmine for us? http://projects.puppetlabs.com/projects/puppetdb ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkRx6cOcGLamNZtqZVc1OOEnMBNy%3D187_itGegnOXqzkA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.