I've spent about 12 hours trying to get an existing CA to be used with
a new puppetmaster setup, any help is appreciated:
I have an existing CA that I want to use on a new puppetmaster setup.
I copied my existing private key and CA cert, used the private key to
generate the public key into /var/lib/puppet/ssl/ca.
Running openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -text -
noout gives something like:
Certificate:
Data:
Version: 3
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Login Master CA
Validity: ....
Subject: CN=Login Master CA
....
I run "puppet master --no-daemonize" to get an initial server cert
created and signed by this CA. Output of the "openssl x509 -in /var/
lib/puppet/ssl/certs/myserver.com.pem -text -noout" gives something
like (it is a 1024 bit cert):
Certificate:
Data:
Version: 3
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Login Master CA
Validity: ....
Subject: CN=myserver.com
...
My /etc/hosts has "myserver.com" defined. My /etc/puppet/puppet.conf
has "certname=myserver.com" in the [master] section.
So if I try to connect with "openssl s_client -connect myserver.com:
8140 -state -showcerts -CAfile ... -cert ... -key ..." I get an SSL
handshake failure. When I try to do the same thing wiht Apache/
passenger, I can get the cert listing. However, running "puppet agent
--test" fails with a "certificate verify" error in both the Apache and
the direct puppetmaster cases.
Is the issue that my "Subject/CN=" in my original CA cert doesn't
match my hostname? I tried setting "certname=login master ca" in my
puppet.conf, but that didn't help either.
Thanks.
-- G
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
