On Fri, 2009-09-18 at 07:56 -0700, Markus Roberts wrote: > > In our specific case, the issue is that the client thinks that a > given > CA cert with a name different than "ca" (ie generated by 0.24) > is a > regular certificate and not a CA cert. > > It may just be me (or lack of coffee) but this sound like the converse > of what's described on the ticket (and what we were seeing). > > I believe 24.8 was creating certs called CA but with the fqdn for the > CN; 25.0 wasn't accepting these because it wanted to use "ca" for the > CN.
I don't feel quite right today (hope it's not the flu), so that might be me. I think I remember the following cause for the bug: * 0.24 generates a CA whose CN=$ca_fqdn. * upgrade to 0.25 * 0.25 client connects to master, ask for "ca" cert * master send cert whose CN=$ca_fqdn * Clients wants to locally write it as $ca_fqdn.pem, so thinks it is a normal cert, not a CA. * Clients can not authenticate the server because there is no "ca.pem" file. But if Luke found his patch fixes #2617, it might be that I didn't get exactly the issue and the above is wrong. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
