>From http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security
Check certificate and validity: openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/hostname.tld.pem How do you specifiy the puppetmaster on the clients? Do you have a server= line in puppet.conf? How do the three clients resolv the puppetmaster? Check certificate on master (take care on AltDNS Names openssl x509 -text -noout -in /etc/puppet/ssl/certs/master.example.com.pem Check ca on master: openssl x509 -text -noout -in /etc/puppet/ssl/certs/ca.pem Simulate a SSL connection: openssl s_client -host puppet -port 8140 -cert /path/to/ssl/certs/node.domain.com.pem -key /path/to/ssl/private_keys/node.domain.com.pem -CAfile /path/to/ssl/certs/ca.pem (from http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/) On 06.07.2012, at 12:20, Martinus wrote: > Martin, > > Everything is worth a try ! > > But it did not work :( > I commented out that line (SSLCARevocationFile) and restarted apache. No > change on the working servers, good. No change on the broken servers, bad. > > Martinus. > > On Friday, 6 July 2012 11:02:10 UTC+1, Matthew Burgess wrote: > > As an additional note, when I stop apache and start puppetmaster with its > > inbuilt web server, then these 3 clients are happy. > > Ah, that triggered a memory! > > http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger has an > example Apache config stanza for the puppetmaster virtualhost. In it > are the following couple of lines: > > # CRL checking should be enabled; if you have problems with Apache > complaining about the CRL, disable the next line > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > > I know it won't help understanding *why* your 3 nodes are misbehaving, > but it may help workaround it. > > Regards, > > Matt. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/SJL2yF2M0xoJ. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
