> What you're saying makes perfect sense -- regarding this being something
> that the puppetdb-terminus stuff does and making it an option in
> puppetdb.conf, etc.
>
> Yeah, I'm looking through the code (doesn't help that my knowledge of Ruby
> is very limited) and I see that the http_pool.rb configures the ssl stuff
> setting ca_cert = Puppet[:localcacert]. That defaults to
> $certdir/certs/ca.pem. I've tried also explicitly specifying it in the
> config file, but to no avail. I still get the verify failure, although doing
> this manually in irb is working:
>
> require 'net/https'
> http = Net::HTTP.new('puppetdb.<domain>', 443)
> http.use_ssl = true
> http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem'
> # (I concatenated the global CA onto the end of ca.pem)
> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> http.send('get', '/')
> #<Net::HTTPFound 302 Found readbody=true>
>
> I validated that pointing at the original ca.pem file fails as expected. So
> I'm a little confused as to why puppetmaster isn't succeeding after I
> modified that file. Perhaps there's some additional verification happening.
> I'll probably give up soon :)
Can you capture your feature requirements in redmine for us?
http://projects.puppetlabs.com/projects/puppetdb
ken.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAE4bNTkRx6cOcGLamNZtqZVc1OOEnMBNy%3D187_itGegnOXqzkA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
