On Friday, November 15, 2013 1:30:53 PM UTC-5, Ken Barber wrote:
>
> > What you're saying makes perfect sense -- regarding this being something
> > that the puppetdb-terminus stuff does and making it an option in
> > puppetdb.conf, etc.
> >
> > Yeah, I'm looking through the code (doesn't help that my knowledge of
> Ruby
> > is very limited) and I see that the http_pool.rb configures the ssl
> stuff
> > setting ca_cert = Puppet[:localcacert]. That defaults to
> > $certdir/certs/ca.pem. I've tried also explicitly specifying it in the
> > config file, but to no avail. I still get the verify failure, although
> doing
> > this manually in irb is working:
> >
> > require 'net/https'
> > http = Net::HTTP.new('puppetdb.<domain>', 443)
> > http.use_ssl = true
> > http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem'
> > # (I concatenated the global CA onto the end of ca.pem)
> > http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> > http.send('get', '/')
> > #<Net::HTTPFound 302 Found readbody=true>
> >
> > I validated that pointing at the original ca.pem file fails as expected.
> So
> > I'm a little confused as to why puppetmaster isn't succeeding after I
> > modified that file. Perhaps there's some additional verification
> happening.
> > I'll probably give up soon :)
>
> Can you capture your feature requirements in redmine for us?
>
> http://projects.puppetlabs.com/projects/puppetdb
>
> ken.
>
Will do.
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3a146241-afcb-4749-bad7-c6fef87b392c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
