On Mon, 29 Nov 2010, Alan Barrett wrote: > It seems to me that I should be able to take the $ssldir/ca/ca_crt.pem > files from the two puppetmasters, concatenate them to create a > ca-bundle.pem file, and place the bundle in some suitable place where > any client or server can use the bundle to verify certificates from > any CA. I haven't been able to figure out where that suitable place > is. Help?
I have a ca-bundle.pem file which contains the concatenation of the ca.pem files from the two CAs. I make both cacert and localcacert on the puppetmaster refer to that file: # extract frmo pupept.conf [puppetmasterd] cacert = $ssldir/certs/ca-bundle.pem localcacert = $ssldir/certs/ca-bundle.pem The first time I run puppetd on the client it creates /etc/puppet/ssl/certs/ca.cert with the wrong contents (the cert from the master that it's talking to atthe moment, not the bundle that I want). I manually replace the client's /etc/puppet/ssl/certs/ca.cert with a copy of the bundle. Now the openssl tests described near the end of <http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_Authorities> work. On the master, I run cd /etc/puppet/ssl openssl s_server -Verify 10 \ -cert ./certs/${server_fqdn}.pem \ -key ./private_keys/${server_fqdn}.pem \ -CAfile ./certs/ca-bundle.pem On the client, I run: cd /etc/puppet/ssl openssl s_client -connect ${serevr_fqdn}:4433 -verify 10 \ -cert ./certs/${client_fqdn}.pem \ -key ./private_keys/${client_fqdn}.pem \ -CAfile ./certs/ca.pem # a copy of ca-bundle.pem and the client successfully connects to the server, and they like each other's keys and certificates. If I keep exactly the same openssl s_server running on the pupeptmaster, and run puppetd instead of openssl s_client on teh client side, it fails. I run this command: puppetd --onetime --test --debug \ --server=${server_fqdn} --masterport=4433 and it prints several messages about "debug: /File[foo]: Autorequiring File[bar]", then this: debug: Using cached certificate for ca debug: Using cached certificate for ${server_fqdn} debug: Using cached certificate_revocation_list for ca debug: catalog supports formats [blah blah]; using pson err: could not retrieve catalog from remote server: \ SSL_connect returned=1 errno=0 \ state=SSLv3 read server certificate B: certificate verify failed On the server side (the openssl s_server process, not puppet), I see this: ACCEPT ERROR 29884:error:14094418:SSL routines:SSL3_READ_BYTES:\ tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 shutting down SSL CONNECTION CLOSED So, it seems that the puppetd client is doing something different from the "openssl s_client" command used for testing. What certificate is the puppetd client attempting to present, and how can I change that? There's no apache+passenger in this test, but in reality I would be using that on the server. This is puppet 0.25.5. --apb (Alan Barrett) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
