OK... I have finally cleaned up most of the mess this has created... One of the issues I guess was that I was also trying to move the puppetca from one puppetmaster to another...
I now have a situation where I have 2 puppetmasters, one "master" and one "slave-master"... The master holds the puppetca for all hosts (with an rsync process to the slave-master for backup), the slave-master doesn't do any CA work (as far as I can tell) Clients connected to the master work fine, clients connecting to the slave-master for puppet and master for ca_server are not fine. I'm getting themessage "unknown ca". Given that the slave-master is not using a ca, I'm fairly sure that this means that its the one complaining about not knowing the ca... If I pull the config back to the following on the clients: server = puppetmaster-slave ca_server = puppetmaster-master I still have the same problems. Is there anything else I've got to set to get the clients to do all CA work from the correct master? (Note, the slave-master is set to get everything from the master, and the puppet client daemon running on the slave-master successfully gets everything it needs from the master.) thanks, Greg On May 21, 2:24 pm, Greg <greg.b...@gmail.com> wrote: > Not running Apache - I'm still using a WEBrick based setup, mostly > because Apache -> Mongrel > isn't playing ball... But that's a different story... > > Further analysis has shown me that there is an error message in > WEBrick's masterhttp.log file: > > [2009-05-21 13:54:30] ERROR OpenSSL::SSL::SSLError: SSL_accept > returned=1 errno= > 0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca > /opt/csw/lib/ruby/1.8/openssl/ssl.rb:166:in `accept' > > At first I thought it had chopped off the alert, but it appears to be > complaining about the lack of a > CA... The files all appear to be in order - its signing certificates > happily enough... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
