Found a Puppet Server bug which sounds to me like the source of my problem: https://tickets.puppetlabs.com/browse/SERVER-346
On Thursday, July 2, 2015 at 6:36:52 PM UTC+2, Andreas Paul wrote: > > Hello there, > > I'm trying to bootstrap my new Puppet 4 environment with an external CA as > described here: > https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca > > Here is the important part of the config: > > webserver.conf: >> ... >> ssl-cert : /etc/puppetlabs/puppet/ssl/certs/<puppetca_fqdn>.pem >> ssl-key : /etc/puppetlabs/puppet/ssl/private_keys/<puppetca_fqdn>.pem >> ssl-ca-cert : /etc/puppetlabs/puppet/ssl/certs/clientsca.pem >> ssl-cert-chain : /etc/puppetlabs/puppet/ssl/certs/chain.pem >> ssl-crl-path : /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem >> ... >> > > The chain.pem contains both the Root CA and the intermediate CA > certificates. > > A connection check with openssl works: > > $ openssl s_client -verify 2 -CAfile >> /etc/puppetlabs/puppet/ssl/certs/chain.pem -cert >> /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem -key >> /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem -connect >> localhost:8140 2>/dev/null | grep Verify >> Verify return code: 0 (ok) >> > > and I also added ssl_client_ca_auth to the puppet.conf: > > [main] >> ssl_client_ca_auth = $certdir/chain.pem >> > > > The problem I have is that the client can not get the CRL for the > intermediate CA: > > Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate >> verify failed: [unable to get certificate CRL for >> /O=MyCompany/OU=MyUnit/CN=Puppet Clients CA] >> > > When I try to replace /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with a CRL > generated from the self-signed Root CA, I get: > > Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate >> verify failed: [unable to get certificate CRL for /CN=<puppetca_fqdn>] >> > > My theory is that I need to provide the Puppetserver both CRLs. One issued > by the Root CA, if the intermediate CA is still valid and one issued by the > intermediate CA if the client cert is still valid. > > I tried concatenating both CRLs into > /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with different order, but the > Puppetserver seems to only use the first CRL found inside. > > Is there a way to provide the Puppetserver with both CRLs or is the single > intermediate CA architecture even supported with Puppet 4/Puppetserver? > > Thanks in advance! > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1f0d7a0c-9622-4533-b444-a2d60f92420a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.