On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu <n...@puppetlabs.com> wrote: > On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill <ski...@skippy.net> wrote: >> If I point that node to my top-level Master (via entry in /etc/hosts), >> the `puppet agent --test --noop` invocation works without error. > > You want to make sure the subordinate master present the same CA pub > key as the top-level master.
This sounds like it may be the piece I've been missing. On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf: SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/top-level-master.domain.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem On my subordinate masters, I have: SSLCertificateFile /var/lib/puppet/ssl/certs/subordinate-master.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/subordinate-master.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem On the subordinate masters, the ca.pem referenced in the SSLCertificateChainFile and SSLCACertificateFile is the same as the top-level master's SSLCertificateChainFile. I copied ca_crt.pem from the top-level master to the subordinate master, and updated the SSLCACertificateFile to point to it. The node still fails with the same error message. Perhaps I'm not fully understanding you. Do I need each subordinate master to use the same public _and_ private key as the CA? >> Subordinate masters can function as clients of the top-level Master >> successfully, so their certificates are installed and signed >> correctly, at least for the agent context. > > You only verified they have a working client cert, not that it's > presenting the correct CA pub key or server cert. An easy test is to > connect the subordinate master to itself and see if that works. > > I would run the following tests: > > client: > puppet agent -t --server sub-master --ca_server master This is essentially the test I've been performing using /etc/hosts entries to point to a specific subordinate master. Using an explicit "--server" argument does not produce different results on the node: it fails. > sub-master: > puppet agent -t --server sub-master --ca_server master I had not tried this test. Doing so fails in the same way that the client fails. Thanks, Scott -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.