> Well, the gist of the question is in the title. Basically we want to use > our exiting browser SSL CA infrastructure for the puppetdb box. We have > many puppetmasters which each have their own CAs and our intent is to have a > single puppetdb box that all of these talk to. Currently we are getting > "SSL_connect returned1 .... certificate verify failed" errors. I would like > to simply add the CA to some sort of "trust store" for the puppetmasters so > that we can talk to a puppetdb that is signed by a CA that differs from the > CA puppetmaster is using to sign node certs.
So we have recently implemented the pem based storage options, but in the passed we pushed people to use the truststore configuration instead: http://docs.puppetlabs.com/puppetdb/1.5/configure.html#truststore This forced a user to create a traditional JKS store and put their CA certificates in that. I haven't tested it, but this probably accepts multiple CA certificates. Have you tried this yet? I would need to run up a test myself to do this, if this sounds sort of like what you are after happy to help. I'm not positive it works - but this feels like the way to do it for now. If it doesn't work, we can work towards solving it properly, but going forward, the ability to specify multiple ca certificates for the ssl-ca-cert setting sounds like another viable option: http://docs.puppetlabs.com/puppetdb/1.5/configure.html#ssl-ca-cert > Hope this makes sense! I see a few different ca.pem files, but am unsure if > I can just start concatenating stuff onto these and whether that will break > puppetmaster's signing, etc. Hmm. Not sure either, probably won't work. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkyUUwBoH-Hx%2BcwjB69ti_EU0SDC2JFhn%3D9xz_h2OXbog%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
