I've seen that when the clocks on the two hosts were out of sync. Even when I brought the clocks back into sync I found that I had to regenerate the certs to get it working.
master:
puppet cert --clean
(restart the puppetmaster)
agent:
(remove the certs)
(restart the agent and get the new cert request signed)
On Tue, Apr 24, 2012 at 10:49:00AM -0700, Eric Sorenson wrote:
> I suspect something is wrong with the underlying ssl libraries on the
> client with the problem. Does the output of 'rpm -qa | grep ssl' on the
> non-working client look the same as the client which works? How about
> ldd -r `rpm -ql ruby-libs | grep openssl.so`
> ?
>
> On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas B�trancourt wrote:
>
> Hi!
>
> I've installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a
> rpm supplied by [1]yum.puppetlabs.com.
>
> I've setup a apache2 vhost with mod_ssl and passenger. The server is
> configured to autosign the cert requests.
>
> The agent installed on the puppetmaster's server works fine. I've a
> second agent on a server which can sync with the server too. This server
> is on CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt.
> All virtual machines are configured to join a network bridge. Some
> iptables rules forward the traffic from the VM to the world (and
> vice-et-versa). The world can connect to the VM (i.e. SSH) and the VM
> can go to the world.
>
> On the hypervisor, i've a VM on CentOS 6.2 too. The DNS name 'puppet' is
> resolved by the hypervisor (which has a dnsmasq server). When i'm
> launching the puppet agent for the first time, a cert is generated by
> the server. The client has now the certs and key on its filesystem. But
> when the client is trying to sync with the server, i've got the
> following output :
> [root@machine-1 ~]# puppet agent --test
> info: Creating a new SSL key for [2]machine-1.test.betrancourt.net
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for ca
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> info: Creating a new SSL certificate request for
> [3]machine-1.test.betrancourt.net
> info: Certificate Request fingerprint (md5):
> BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for [4]machine-1.test.betrancourt.net
> err: Could not retrieve catalog from remote server: SSL_connect
> returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert
> protocol version
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
> read server session ticket A: tlsv1 alert protocol version
> [root@machine-1 ~]#
>
> The client cert is into the server cert db :
> [root@medion ~]# puppetca list --all | grep machine-1
> + [5]machine-1.test.betrancourt.net
> (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92)
>
> In puppet.conf, on the server, i've the following content:
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> pluginsync = true
>
> [master]
> autosign = true
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> My apache vhost is configured like this:
> <VirtualHost [6]192.168.1.60:8140>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> [7]https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links
> 1. http://yum.puppetlabs.com/
> 2. http://machine-1.test.betrancourt.net/
> 3. http://machine-1.test.betrancourt.net/
> 4. http://machine-1.test.betrancourt.net/
> 5. http://machine-1.test.betrancourt.net/
> 6. http://192.168.1.60:8140/
> 7. https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ