Turns out this was the problem - thanks for the help, guys, as always, talking it out helped point me down the right path.
Thanks, Rog On Tuesday, November 18, 2014 9:56:05 AM UTC-5, Roger Sherman wrote: > > Right - and on that note, I think I've made a little bit of progress, but > I'm still not there yet. > > I looked at the apache vhost file for the puppetmaster, and found the > following: > > # you probably want to tune these settings > > PassengerHighPerformance on > > PassengerMaxPoolSize 12 > > PassengerPoolIdleTime 1000 > > # PassengerMaxRequests 1000 > > PassengerStatThrottleRate 120 > > RackAutoDetect Off > > RailsAutoDetect Off > > > Listen 8140 > > NameVirtualHost 10.60.0.100:8140 > > > <VirtualHost 10.60.0.100:8140> > > # LogLevel debug > > ServerName puppet.nyc.viddler.com > > SSLEngine on > > SSLProtocol -ALL +SSLv3 +TLSv1 > > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > > SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem > > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem > > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > > # If Apache complains about invalid signatures on the CRL, you > can try disabling > > # CRL checking by commenting the next line, but this is not > recommended. > > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > > > So "domain" is our old domain, and 10.60 needs to be changed as well. > > I'll report back if this fixes the issue or not. > > On Tuesday, November 18, 2014 9:46:22 AM UTC-5, jcbollinger wrote: >> >> >> >> On Tuesday, November 18, 2014 7:57:44 AM UTC-6, Roger Sherman wrote: >>> >>> For some reason, (I think) the PM is unable to sign them. At least, >>> that's what seems to be the case. >>> >> >> >> Well yes, sort of. It appears that the PM is unable to sign the requests >> because the client is unable to establish a secure connection over which to >> *issue* the request in the first place. (The client doesn't need its >> own cert for that. The client cert is for the client to prove its identity >> to the master, which it doesn't need to do to request cert signing.) >> >> >> John >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f66df915-12dc-4d36-918c-dcc31c7198cf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
