Puppet users - Jun 2010 - problems with puppetmaster using intermediate CA cert

Hi,

I''m trying to develop a manifest to setup a new puppet master. To solve
the SSL certificates I''ve created a root CA outside of puppet, and have
generated an intermediate CA for the new puppet master to use. I''ve
also
configured my puppetmaster daemon to use it''s own ssl directory. So the
new puppetmaster is at the same time a client of the old puppet master 
using the old puppet managed CA on that machine, and a puppet master 
using this new hybrid CA (1) scheme.

However when I get SSL errors when the puppet client joins. The initial 
join seems to works, I successfully do ''puppetca --sign'', and
I find on
the client that appropriate keys and certs have appeared under 
/var/lib/puppet/ssl.

However when I run ''puppetd --test'', I get errors:

geoffc@chiraz-60:~/tmp$ sudo puppetd --test --color=false
info: Loading fact raidcontroller
info: Loading fact raidtype
info: Retrieving plugins
warning: Certificate validation failed; considering using the certname 
configuration option
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
during transaction: Certificates were not trusted: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed
warning: Certificate validation failed; considering using the certname 
configuration option
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of 
resource: Certificates were not trusted: SSL_connect returned=1 errno=0 
state=SSLv3 read server certificate B: certificate verify failed Could 
not describe /plugins: Certificates were not trusted: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed
info: Loading fact raidcontroller
info: Loading fact raidtype
warning: Certificate validation failed; considering using the certname 
configuration option
err: Could not retrieve catalog: Certificates were not trusted: 
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed
warning: Not using cache on failed catalog


Anyone know how I can arrange for the puppet client to successfully 
trust the masters certificate?


(1) By hybrid I mean that the puppet masters certificate and private key 
have been generated by me, but I want the puppet master to act as the CA 
like it normally does for the puppet clients that connect to it.

-- 
+-Geoff Crompton
+--Debian System Administrator
+---Trinity College

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Jun 18, 2010 at 1:07 PM, Geoff Crompton <
geoffc@trinity.unimelb.edu.au> wrote:
>
> Anyone know how I can arrange for the puppet client to successfully trust
> the masters certificate?
>
you need to add the top level ca pub key to it to
/var/lib/puppet/ssl/certs/ca.pem

you might still fail on CRL, which is completely broken on 0.25.4 and below
(in the 0.25.x series), 0.25.5 adds an option to ignore it.

Ohad

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.