Hi Mark, I can understand your frustration. We have been struggling with Puppet and SSL a lot lately. Our setup is similar but a bit more complicated so your scenario shouldn't pose any issues. Try this (assuming you are starting from scratch):
1. Start the production puppet master as usual. This will be your CA. 2. In your development puppet master, set ca = false and ca_server = production.hostname in puppet.conf in the puppetmasterd section. Also set server = production.hostname in the puppetd section. 3. In your development puppet master, run puppetd first! This is needed to generate the certificates and request the CA to sign them. If you start puppetmasterd first it will fail. 4. Sign the development puppet master certificate on your production puppet master or set autosign. 5. Once the certificate is signed, re-run puppetd to verify. 6. Start the development puppet master. 7. In your development clients, set ca_server = production.hostname to have the production puppet master sign their certificates since its your only CA. Cheers, Atha On Nov 18, 11:10 pm, Mark Christian <supertr...@gmail.com> wrote: > I am keen to get this to work, but can't seem to. Will this work with > Mongrel and Apache as described > athttp://reductivelabs.com/trac/puppet/wiki/UsingMongrel > ? Im using the EPEL puppet package versions 24.8-4 and simply can't > get the client to retrieve the catalog from the "Development" server. > > Could not retrieve catalog: Certificates were not trusted: tlsv1 alert > unknown ca > > The clients have all been signed by the "Production" server, I've put > ca_server = myProduction.Server.com in the client's puppet.conf. > > Is there any more detail to add to step 5. below? > > Thank you. > > On Nov 6, 9:38 pm, Dan Bode <d...@reductivelabs.com> wrote: > > > > > Hi Paul,, > > > I just want to share how I have done this before. > > > 1. Production server is the only certificate authority. > > 2. Development server sets ca_server = false > > 3. Development server calls puppetd --server production.server > > 4. Development server now gets a copy of the production servers certificate > > (ca.pem) > > 5. Other machines must get signed by the prod server before they can call > > the dev server (there is a ca_server command line argument) > > > the puppet dev server ensures that any calling machines have been signed by > > the production server (its ca). > > > Can you try this setup and see if it resolves your issue? > > > There is another thread of people discussing passenger issues. I will go > > ahead and stage the passenger config with 25.1 this weekend. I will make a > > post outlining my findings. > > > hope this helps, > > > Dan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
