Er ah, to be more specific, I had to list the correct .pem files in the puppetmaster vhost, and change the server IP.
On Tuesday, November 18, 2014 10:51:40 AM UTC-5, Roger Sherman wrote: > > Turns out this was the problem - thanks for the help, guys, as always, > talking it out helped point me down the right path. > > Thanks, > > Rog > > On Tuesday, November 18, 2014 9:56:05 AM UTC-5, Roger Sherman wrote: >> >> Right - and on that note, I think I've made a little bit of progress, but >> I'm still not there yet. >> >> I looked at the apache vhost file for the puppetmaster, and found the >> following: >> >> # you probably want to tune these settings >> >> PassengerHighPerformance on >> >> PassengerMaxPoolSize 12 >> >> PassengerPoolIdleTime 1000 >> >> # PassengerMaxRequests 1000 >> >> PassengerStatThrottleRate 120 >> >> RackAutoDetect Off >> >> RailsAutoDetect Off >> >> >> Listen 8140 >> >> NameVirtualHost 10.60.0.100:8140 >> >> >> <VirtualHost 10.60.0.100:8140> >> >> # LogLevel debug >> >> ServerName puppet.nyc.viddler.com >> >> SSLEngine on >> >> SSLProtocol -ALL +SSLv3 +TLSv1 >> >> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP >> >> >> SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem >> >> SSLCertificateKeyFile >> /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem >> >> SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem >> >> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem >> >> # If Apache complains about invalid signatures on the CRL, you >> can try disabling >> >> # CRL checking by commenting the next line, but this is not >> recommended. >> >> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem >> >> >> So "domain" is our old domain, and 10.60 needs to be changed as well. >> >> I'll report back if this fixes the issue or not. >> >> On Tuesday, November 18, 2014 9:46:22 AM UTC-5, jcbollinger wrote: >>> >>> >>> >>> On Tuesday, November 18, 2014 7:57:44 AM UTC-6, Roger Sherman wrote: >>>> >>>> For some reason, (I think) the PM is unable to sign them. At least, >>>> that's what seems to be the case. >>>> >>> >>> >>> Well yes, sort of. It appears that the PM is unable to sign the >>> requests because the client is unable to establish a secure connection over >>> which to *issue* the request in the first place. (The client doesn't >>> need its own cert for that. The client cert is for the client to prove its >>> identity to the master, which it doesn't need to do to request cert >>> signing.) >>> >>> >>> John >>> >>> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/846ad9c1-bded-425f-9f4b-5fe74dd2c4f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
