Turns out this was the problem - thanks for the help, guys, as always, talking it out helped point me down the right path.
Thanks, Rog On Tuesday, November 18, 2014 9:56:05 AM UTC-5, Roger Sherman wrote: > > Right - and on that note, I think I've made a little bit of progress, but > I'm still not there yet. > > I looked at the apache vhost file for the puppetmaster, and found the > following: > > # you probably want to tune these settings > > PassengerHighPerformance on > > PassengerMaxPoolSize 12 > > PassengerPoolIdleTime 1000 > > # PassengerMaxRequests 1000 > > PassengerStatThrottleRate 120 > > RackAutoDetect Off > > RailsAutoDetect Off > > > Listen 8140 > > NameVirtualHost 10.60.0.100:8140 > > > <VirtualHost 10.60.0.100:8140> > > # LogLevel debug > > ServerName puppet.nyc.viddler.com > > SSLEngine on > > SSLProtocol -ALL +SSLv3 +TLSv1 > > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > > SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem > > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem > > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > > # If Apache complains about invalid signatures on the CRL, you > can try disabling > > # CRL checking by commenting the next line, but this is not > recommended. > > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > > > So "domain" is our old domain, and 10.60 needs to be changed as well. > > I'll report back if this fixes the issue or not. > > On Tuesday, November 18, 2014 9:46:22 AM UTC-5, jcbollinger wrote: >> >> >> >> On Tuesday, November 18, 2014 7:57:44 AM UTC-6, Roger Sherman wrote: >>> >>> For some reason, (I think) the PM is unable to sign them. At least, >>> that's what seems to be the case. >>> >> >> >> Well yes, sort of. It appears that the PM is unable to sign the requests >> because the client is unable to establish a secure connection over which to >> *issue* the request in the first place. (The client doesn't need its >> own cert for that. The client cert is for the client to prove its identity >> to the master, which it doesn't need to do to request cert signing.) >> >> >> John >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f66df915-12dc-4d36-918c-dcc31c7198cf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
