Issue #14696 has been updated by Charlie Sharpsteen.
Redmine Issue [#14696](http://projects.puppetlabs.com/issues/14696) has been migrated to JIRA: <https://tickets.puppetlabs.com/browse/PDB-131> ---------------------------------------- Feature #14696: enhancements to SSL for puppet apply https://projects.puppetlabs.com/issues/14696#change-101415 * Author: R.I. Pienaar * Status: Accepted * Priority: Low * Assignee: * Category: * Target version: * Keywords: * Branch: * Affected PuppetDB version: ---------------------------------------- your typical puppet apply setup would not have a CA so there wont be certs prior to enabling the puppetdb terminus , when running it against a remote puppetdb you get: <pre> warning: peer certificate won't be verified in this SSL session err: Cached facts for dev4.devco.net failed: Failed to find facts from PuppetDB at dev3.devco.net:8081: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert bad certificate warning: peer certificate won't be verified in this SSL session Could not run: Could not retrieve facts for dev4.devco.net: Failed to submit 'replace facts' command for dev4.devco.net to PuppetDB at dev3.devco.net:8081: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert bad certificate </pre> So without a shared CA this leaves a few options: * let people specify completely custom sets of certs both on puppetdb and the node side as ppl might have some shared pki already * allow anon SSL which would at least encrypt the payload if not protect against MITM * allow plain text calls to the puppetdb and make this configurable on the clients -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
