On 09/26/2013 08:01 AM, Michal Suchanek wrote: > I noticed that my puppet agent fails to connect to puppet server due to > invalid certificate.
Please provide the puppet error details, if this is the actual issue of concern. (There are no reverse dependencies on ca-certificates by puppet packages that I could see, and the only thing close may be ruby-excon(? I don't have a puppet install to test and don't know if this ruby module is used, or if puppet/puppetmaster even use ca-certificates in some way) > While it might be the job of puppet to maintain the certificates I went > ahead and added the puppet CA: I don't know if puppet uses the CA trust store of ca-certificates. Does it? > ln -sf /var/lib/puppet/ssl/certs/ca.pem > /usr/local/share/ca-certificates/puppet-ca.crt Did you 'update-ca-certificates' after this? > tried to connect to puppet server: > > openssl s_client -connect localhost:8140 > > .... > Verify return code: 19 (self signed certificate in certificate chain) > > openssl s_client -connect localhost:8140 -CApath /etc/ssl/certs > > .... > Verify return code: 0 (ok) > > WTF? Looks ok to me. I can assume that you did run update-ca-certificates to create the /etc/ssl/certs symlink and openssl validates ok with -CApath. > Oh yeah, openssl does not verify hostname. It's *that* awesome. openssl s_client is only for testing, as is stated in the man page - it worked as desired above, as far as I can tell. > Any idea how I can add local certificate so that it's actually used? Could you please restate the actual problem we need to look at? -- Kind regards, Michael Shuler
signature.asc
Description: OpenPGP digital signature
