On Thu, Jun 14, 2012 at 12:30 PM, Scott Merrill <ski...@skippy.net> wrote: > On Thu, Jun 14, 2012 at 3:13 PM, Nan Liu <n...@puppetlabs.com> wrote: >> So normally for self signed CA the issuer and subject is the same. In >> this case you are issuing the certs via: >> CN=Puppet CA: top-level-master.domain >> >> However you are asking the system to verify against a CA cert that >> presents the subject as: >> CN=Puppet CA: nlvmjt036.nwideweb.net > > Well that's what I get for trying to sanitize the output before > posting to the list. nlvmjt036 is the name of my top-level master. > >> So you can you locate your CA cert with the subject? >> Subject: CN=Puppet CA: top-level-master.domain > > On my top-level master: > # diff -s /var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem > Files /var/lib/puppet/ssl/ca/ca_crt.pem and > /var/lib/puppet/ssl/certs/ca.pem are identical > > As mentioned previously, the top-level master's > /var/lib/puppet/ssl/certs/ca.pem file is identical to the subordinate > master's /var/lib/puppet/ssl/certs/ca.pem file.
Ok, that should be correct. The minor things I can think of is to verify CA.pem file permission and verify agent cert issuer. A few other thing you can try is to run the web brick server and run puppet master --debug --no-daemonize on the sub master and see if that give any more info. You can also try enabling CA on the sub-master and check what you get back from another test client and see what you receive the right CA file on initial connection and what CA cert signs that client's CSR. That's all I can think of. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
