Unable to make Puppet Agent trust Puppet Master server certificate with own CA
186 views
Skip to first unread message
Bruno Harbulot
Apr 4, 2012, 9:57:14 AM4/4/12
to puppet...@googlegroups.com
Hello,
I'm trying to set up a puppet master server with a server certificate from my own organisation (but still use Puppet's own CA for the client certificates).
On the puppet master server, the certificate was put in /var/lib/puppet/ssl/certs (and the private key in the private_keys directory), with the right FQDN host name.
The server configuration seems to work fine, since openssl s_client -connect puppetmaster.example.com:8140 shows that certificate indeed.
On the client side, I've changed certs/ca.pem to use my own CA. OpenSSL verifies it well with:
openssl s_client -CAfile ...path-to/ssl/certs/ca.pem -connect puppetmaster.example.com:8140
However, puppet agent --test --server puppetmaster.example.com fails with:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.
(The FQDNs/Common Names are correct, the clocks are fine, and when I revert to the Puppet CA server certificate, it works too.)
Where are the trust anchors for the puppet agent meant to be configured if it's not in certs/ca.pem?
Best wishes,
Bruno.
I'm trying to set up a puppet master server with a server certificate from my own organisation (but still use Puppet's own CA for the client certificates).
On the puppet master server, the certificate was put in /var/lib/puppet/ssl/certs (and the private key in the private_keys directory), with the right FQDN host name.
The server configuration seems to work fine, since openssl s_client -connect puppetmaster.example.com:8140 shows that certificate indeed.
On the client side, I've changed certs/ca.pem to use my own CA. OpenSSL verifies it well with:
openssl s_client -CAfile ...path-to/ssl/certs/ca.pem -connect puppetmaster.example.com:8140
However, puppet agent --test --server puppetmaster.example.com fails with:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.
(The FQDNs/Common Names are correct, the clocks are fine, and when I revert to the Puppet CA server certificate, it works too.)
Where are the trust anchors for the puppet agent meant to be configured if it's not in certs/ca.pem?
Best wishes,
Bruno.
Reply all
Reply to author
Forward
0 new messages