Issue #3120 has been updated by Jeff McCune. Status changed from Closed to Accepted Assignee set to Jeff McCune
# Disambiguate for Telly # In the Puppet / Facter iteration planning meeting today we decided #3143 is too big of feature to do in a single interation so we're've moved "Disambiguate localcacert option for Telly." into the backlog. For Telly and this weeks iteration we're going to make sure the localcacert option is clearly disambiguated among these three behaviors: * The CA uses this file to issue certificates. It should use cacert. * The agent uses this file to authenticate master servers. * The master uses this file to authenticate agent clients. In order to ensure backwards compatibility, we must make sure these three behaviors are able to be separated by the end user for Telly. The initial idea is to add additional settings that all default to the value of localcacert and make sure the documentation for localcacert describes the behavior correctly. ---------------------------------------- Bug #3120: 'localcacert' doesn't behave as described https://projects.puppetlabs.com/issues/3120#change-66586 Author: eric sorenson Status: Accepted Priority: Normal Assignee: Jeff McCune Category: SSL Target version: 3.x Affected Puppet version: 0.25.1 Keywords: ssl certificate ca Branch: I've been grappling with the problem of getting multiple CA certificates set up, one per puppetmaster, as described in MultipleCertificateAuthorities on the wiki. The overall goal is to be able to have N puppetmasters who all issue certificates and trust each other's certs so no additional bootstrapping would be needed to get clients up and running. This is way tougher than I expected, and I think at least part of it is some confusing behaviour on puppet's part, to wit: The docs for the 'localcacert' variable say: {{{ # Where each client stores the CA certificate. # The default value is '$certdir/ca.pem'. localcacert = /etc/puppet/ssl/certs/ca.pem }}} The docs suggest this ought to be the ca's certificate or bundle. But what seems to be happening is that on the puppetmaster, this cert is used *as the CA Cert* for signing requests, overriding the value of 'cacert', and causing 'key and certificate don't match' errors thrown from Puppet::SSL::Host.certificate. I notice that Markus recently changed this part of the code for #2890 but at a glance it looks like this would continue. To reproduce: - specify different certificates for cacert and localcacert - request a certificate - be surprised at which one issues your client's cert More generally it would be great if somebody in the know took a look at the wiki docs for this and beat them into shape to make a better supported / less voodoo way to set up multiple masters. PuppetScalability and MultipleCertificateAuthorities have "hey it worked for me...sorta" type of docs. What I've done to get things working is followed Paul Lathrop's post: http://groups.google.com/group/puppet-users/msg/89b75ebe91c5985b which definitely simplifies things, but isn't written up anywhere. I'll be happy to do that if it turns out to be the best way but it'd be good to get a ruling on whether I'm doing something wrong with the chained CA setup first. Thanks -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
