John T. Guthrie
2011-Aug-01 19:39 UTC
[Puppet Users] certificate authority chaining and verification
Hello all, I''ve recently installed a puppet PKI as detailed in the "Multiple Certificate Authorities" document. However, when I try to list the signed certificates using "puppet cert list --all", I get the following output: - bnjpuppet02.mydomain.com (57:51:05:FF:03:5A:C2:4D:3B:E2:BF:CF:18:B3:C8:4C) (unable to get issuer certificate) I assume that this is because the CA cert that I am using is in fact signed by another CA, and the cert for that is not available to the above command. Now when, I replace $ssldir/ca/ca_crt.pem with a full certificate chain, starting with my machine''s local CA, then the above error goes away, and I get a different error message: - bnjpuppet02.mydomain.com (57:51:05:FF:03:5A:C2:4D:3B:E2:BF:CF:18:B3:C8:4C) (unable to get certificate CRL) My first question is what do I need to do to make this second error go away. I have already tried playing with the certificate_revocation flag to no effect. Also, I''m assuming that this will impact the ability of puppet to verify my clients. Or is that a function of setting up the CA chain at the authentication end point? (I''m using mongrel with an apache proxy.) I am using puppet 2.7.1. Thanks very much in advance. John Guthrie jguthrie@book.com This electronic mail message contains information that (a) is or may be CONFIDENTIAL, PROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the addressee(s) named herein. If you are not an intended recipient, please contact the sender immediately and take the steps necessary to delete the message completely from your computer system. Not Intended as a Substitute for a Writing: Notwithstanding the Uniform Electronic Transaction Act or any other law of similar effect, absent an express statement to the contrary, this e-mail message, its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind this sender, barnesandnoble.com llc, barnesandnoble.com inc. or any other person or entity. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.