Bruno Harbulot
2012-Apr-04 13:57 UTC
[Puppet Users] Unable to make Puppet Agent trust Puppet Master server certificate with own CA
Hello, I''m trying to set up a puppet master server with a server certificate from my own organisation (but still use Puppet''s own CA for the client certificates). On the puppet master server, the certificate was put in /var/lib/puppet/ssl/certs (and the private key in the private_keys directory), with the right FQDN host name. The server configuration seems to work fine, since openssl s_client -connect puppetmaster.example.com:8140 shows that certificate indeed. On the client side, I''ve changed certs/ca.pem to use my own CA. OpenSSL verifies it well with: openssl s_client -CAfile ...path-to/ssl/certs/ca.pem -connect puppetmaster.example.com:8140 However, puppet agent --test --server puppetmaster.example.com fails with: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. (The FQDNs/Common Names are correct, the clocks are fine, and when I revert to the Puppet CA server certificate, it works too.) Where are the trust anchors for the puppet agent meant to be configured if it''s not in certs/ca.pem? Best wishes, Bruno. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/hrYRp0aGXcsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.