<snip>
> So I think I understand, what you are saying is that the client
> refuses to accept the PuppetDB's server certificate, because its not
> signed by its own CA? This is not a client certificate thing, my point
> is - purely server side certs. Right? Because your PuppetDB's server
> cert is signed with a more global different CA, it doesn't work yeah?
>
That's exactly right, yeah. No client certs, just an issue with different
CA being used for the puppetdb server cert. (I probably could have put
this more concisely from the beginning!)
> > It would be really nice if there was a way to say "hey, puppet[master]
> for
> > your outbound https connections, here's a ca-bundle.pem you can use to
> > verify servers". The idea that we'd use the puppetmaster CA *seems*
> wrong
> > here. Especially in an environment like ours where we have many
> (dozens) of
> > puppetmasters that each manage their own little ecosystems. (And we
> don't
> > really want to force a single CA.)
>
> Yeah, its wrong in your multi-CA scenario for sure. We totally just
> use the HTTP libraries Puppet provides us and all its cert
> assumptions, for simplicity I guess. At least, it works for single-CA
> scenarios just fine.
>
> We could look into providing a feature for this probably. The change
> would probably need to occur in the puppetdb-terminus code and an
> option added to /etc/puppet/puppetdb.conf most probably.
>
> Although if Puppet itself supported multiple CA bundles, this wouldn't
> happen - I think the fix is more elegant in Puppet as all
> clients/termini/plugins using their HTTP libraries would just work for
> multi-ca without each one having to do its own thing.
>
>
What you're saying makes perfect sense -- regarding this being something
that the puppetdb-terminus stuff does and making it an option in
puppetdb.conf, etc.
Yeah, I'm looking through the code (doesn't help that my knowledge of Ruby
is very limited) and I see that the http_pool.rb configures the ssl stuff
setting ca_cert = Puppet[:localcacert]. That defaults to
$certdir/certs/ca.pem. I've tried also explicitly specifying it in the
config file, but to no avail. I still get the verify failure, although
doing this manually in irb is working:
require 'net/https'
http = Net::HTTP.new('puppetdb.<domain>', 443)
http.use_ssl = true
http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem'
# (I concatenated the global CA onto the end of ca.pem)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.send('get', '/')
#<Net::HTTPFound 302 Found readbody=true>
I validated that pointing at the original ca.pem file fails as expected.
So I'm a little confused as to why puppetmaster isn't succeeding after I
modified that file. Perhaps there's some additional verification
happening. I'll probably give up soon :)
Thanks again-
Hans
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9e2c238a-1c58-4e43-87fd-b29eb817209c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
