Here's the current state of affairs: Server A is the Puppetmaster for Server B
I bring up Server B, run puppetd --test and sign Server B's cert on Server A I bring up Server C, set ca_server=servera, run puppetd --test and sign Server C's cert on Server A When I run puppetd --test on Server C (which has a cert signed by Server A) it connects to Server B I get the following: warning: peer certificate won't be verified in this SSL session notice: Got signed certificate info: Retrieving plugins err: /File[/var/lib/puppet/lib]: Failed to generate additional resources during transaction: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert unknown ca err: /File[/var/lib/puppet/lib]/source: Could not describe /plugins: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert unknown ca warning: /File[/var/lib/puppet/lib]/ensure: No specified sources exist warning: /File[/var/lib/puppet/lib]/ensure: No specified sources exist warning: /File[/var/lib/puppet/lib]/source: No specified sources exist err: Could not retrieve catalog: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert unknown ca warning: Not using cache on failed catalog [EMAIL PROTECTED]:~# It still seems like Server B does not trust the cert signed by Server A On Nov 10, 10:50 pm, RijilV <[EMAIL PROTECTED]> wrote: > 2008/11/10 Eugene Ventimiglia <[EMAIL PROTECTED]> > > > Well I know I have to do something besides setting ca_server on Server 3 > > because it's not working > > > On Mon, Nov 10, 2008 at 9:54 PM, Ohad Levy <[EMAIL PROTECTED]> wrote: > > >> I'm not sure you need that, if your certificate are not chained... > >> Server B should point to the same ca_server as server C. > > >> Hope it helps, > >> Ohad > > If server B has a cert generated from the common puppet_ca, server C should > be able to talk to server B, though I haven't tested that out. You might > make sure that the cert that the puppet master is using is infact generated > from your puppet_ca. > > If that doesn't work for you, there are some pages on the wiki regarding > setting up chained certs, though none of them are complete - rewriting them > has been sitting on my todo list for awhile now. Ohad and I have also had > some good conversations on this list about it, might try looking through the > archives. > > .r' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
