Hey all- I am trying to set up branch testing as described at http://www.reductivelabs.com/trac/puppet/wiki/BranchTesting , but am running into a few snags. I''ve set up an alternate directory for the testing branch config files, and have created a copy of everything stored under /var/lib/puppet and pointed the test server to that stuff. However, when I try to connect to the test server from a client (puppetd --test --noop --masterport 8141), i get an openssl error: /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': certificate verify failed (OpenSSL::SSL::SSLError) I''ve checked with openssl s_client and both the servers are passing the same info. Is there something I''m overlooking?
On Dec 6, 2007, at 4:53 PM, peter woodman wrote:> Hey all- > I am trying to set up branch testing as described at http://www.reductivelabs.com/trac/puppet/wiki/BranchTesting > , but am running into a few snags. I''ve set up an alternate directory > for the testing branch config files, and have created a copy of > everything stored under /var/lib/puppet and pointed the test server to > that stuff. However, when I try to connect to the test server from a > client (puppetd --test --noop --masterport 8141), i get an openssl > error: > > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': certificate verify > failed (OpenSSL::SSL::SSLError) > > I''ve checked with openssl s_client and both the servers are passing > the same info. Is there something I''m overlooking?I would make sure that both clients are using the same certificate authority file... I think it''s the "ca.pem" file somewhere in the ssl directory on the client, but this may be my specific configuration and not the default location. The problem your facing appears to be the client rejecting the server''s certificate because it doesn''t trust the authority signing it. Cheers, -- Jeff McCune Systems Manager The Ohio State University Department of Mathematics
On 12/6/07, Jeff McCune <mccune@math.ohio-state.edu> wrote:> I would make sure that both clients are using the same certificate > authority file... > > I think it''s the "ca.pem" file somewhere in the ssl directory on the > client, but this may be my specific configuration and not the default > location.Yeah, there''s only one ca.pem on the client machine, in /var/lib/puppet/ssl/certs/ca.pem, which is the same as the ca_crt.pem on the server machine. Everything file-wise is identical between a successful and a failing run on the client- the only thing that''s different is the masterport setting.