On Thu, Jun 14, 2012 at 12:50 PM, Nan Liu <n...@puppetlabs.com> wrote:
> On Thu, Jun 14, 2012 at 9:27 AM, Scott Merrill <ski...@skippy.net> wrote:
>> If I point that node to my top-level Master (via entry in /etc/hosts),
>> the `puppet agent --test --noop` invocation works without error.
>
> You want to make sure the subordinate master present the same CA pub
> key as the top-level master.
This sounds like it may be the piece I've been missing.
On the PuppetCA, I have the following in /etc/httpd/conf.d/puppet.conf:
SSLCertificateFile /var/lib/puppet/ssl/certs/top-level-master.domain.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/top-level-master.domain.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
On my subordinate masters, I have:
SSLCertificateFile /var/lib/puppet/ssl/certs/subordinate-master.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/subordinate-master.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
On the subordinate masters, the ca.pem referenced in the
SSLCertificateChainFile and SSLCACertificateFile is the same as the
top-level master's SSLCertificateChainFile.
I copied ca_crt.pem from the top-level master to the subordinate
master, and updated the SSLCACertificateFile to point to it. The node
still fails with the same error message.
Perhaps I'm not fully understanding you. Do I need each subordinate
master to use the same public _and_ private key as the CA?
>> Subordinate masters can function as clients of the top-level Master
>> successfully, so their certificates are installed and signed
>> correctly, at least for the agent context.
>
> You only verified they have a working client cert, not that it's
> presenting the correct CA pub key or server cert. An easy test is to
> connect the subordinate master to itself and see if that works.
>
> I would run the following tests:
>
> client:
> puppet agent -t --server sub-master --ca_server master
This is essentially the test I've been performing using /etc/hosts
entries to point to a specific subordinate master. Using an explicit
"--server" argument does not produce different results on the node: it
fails.
> sub-master:
> puppet agent -t --server sub-master --ca_server master
I had not tried this test. Doing so fails in the same way that the client fails.
Thanks,
Scott
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
