Issue #3120 has been updated by James Turnbull. Target version changed from 0.25.5 to 0.25.6
---------------------------------------- Bug #3120: 'localcacert' doesn't behave as described http://projects.puppetlabs.com/issues/3120 Author: eric sorenson Status: Investigating Priority: Normal Assigned to: Category: SSL Target version: 0.25.6 Affected version: 0.25.1 Keywords: ssl certificate ca Branch: I've been grappling with the problem of getting multiple CA certificates set up, one per puppetmaster, as described in MultipleCertificateAuthorities on the wiki. The overall goal is to be able to have N puppetmasters who all issue certificates and trust each other's certs so no additional bootstrapping would be needed to get clients up and running. This is way tougher than I expected, and I think at least part of it is some confusing behaviour on puppet's part, to wit: The docs for the 'localcacert' variable say: {{{ # Where each client stores the CA certificate. # The default value is '$certdir/ca.pem'. localcacert = /etc/puppet/ssl/certs/ca.pem }}} The docs suggest this ought to be the ca's certificate or bundle. But what seems to be happening is that on the puppetmaster, this cert is used *as the CA Cert* for signing requests, overriding the value of 'cacert', and causing 'key and certificate don't match' errors thrown from Puppet::SSL::Host.certificate. I notice that Markus recently changed this part of the code for #2890 but at a glance it looks like this would continue. To reproduce: - specify different certificates for cacert and localcacert - request a certificate - be surprised at which one issues your client's cert More generally it would be great if somebody in the know took a look at the wiki docs for this and beat them into shape to make a better supported / less voodoo way to set up multiple masters. PuppetScalability and MultipleCertificateAuthorities have "hey it worked for me...sorta" type of docs. What I've done to get things working is followed Paul Lathrop's post: http://groups.google.com/group/puppet-users/msg/89b75ebe91c5985b which definitely simplifies things, but isn't written up anywhere. I'll be happy to do that if it turns out to be the best way but it'd be good to get a ruling on whether I'm doing something wrong with the chained CA setup first. Thanks -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
