On Friday, November 15, 2013 1:30:53 PM UTC-5, Ken Barber wrote:
>
> > What you're saying makes perfect sense -- regarding this being something
> > that the puppetdb-terminus stuff does and making it an option in
> > puppetdb.conf, etc.
> >
> > Yeah, I'm looking through the code (doesn't help that my knowledge of
> Ruby
> > is very limited) and I see that the http_pool.rb configures the ssl
> stuff
> > setting ca_cert = Puppet[:localcacert]. That defaults to
> > $certdir/certs/ca.pem. I've tried also explicitly specifying it in the
> > config file, but to no avail. I still get the verify failure, although
> doing
> > this manually in irb is working:
> >
> > require 'net/https'
> > http = Net::HTTP.new('puppetdb.<domain>', 443)
> > http.use_ssl = true
> > http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem'
> > # (I concatenated the global CA onto the end of ca.pem)
> > http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> > http.send('get', '/')
> > #<Net::HTTPFound 302 Found readbody=true>
> >
> > I validated that pointing at the original ca.pem file fails as expected.
> So
> > I'm a little confused as to why puppetmaster isn't succeeding after I
> > modified that file. Perhaps there's some additional verification
> happening.
> > I'll probably give up soon :)
>
> Can you capture your feature requirements in redmine for us?
>
> http://projects.puppetlabs.com/projects/puppetdb
>
> ken.
>
Will do.
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3a146241-afcb-4749-bad7-c6fef87b392c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
