Hello, I'm trying to set up a puppet master server with a server certificate from my own organisation (but still use Puppet's own CA for the client certificates).
On the puppet master server, the certificate was put in /var/lib/puppet/ssl/certs (and the private key in the private_keys directory), with the right FQDN host name. The server configuration seems to work fine, since openssl s_client -connect puppetmaster.example.com:8140 shows that certificate indeed. On the client side, I've changed certs/ca.pem to use my own CA. OpenSSL verifies it well with: openssl s_client -CAfile ...path-to/ssl/certs/ca.pem -connect puppetmaster.example.com:8140 However, puppet agent --test --server puppetmaster.example.com fails with: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. (The FQDNs/Common Names are correct, the clocks are fine, and when I revert to the Puppet CA server certificate, it works too.) Where are the trust anchors for the puppet agent meant to be configured if it's not in certs/ca.pem? Best wishes, Bruno. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/hrYRp0aGXcsJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
