"certificate verify failed" - but clocks are in sync
3,228 views
Skip to first unread message
Jim Garrison
Mar 30, 2012, 7:20:21 PM3/30/12
to puppet...@googlegroups.com
Apologies if this is a duplicate, but GG seems to have eaten my previous post
I'm trying to set up a simple master/agent on two VMs under the same ESXi host.
I start up the master successfully on vm1, then start up the agent on vm2
sudo puppet agent --server vm1 --waitforcert 60 --test
On the master I sign the certificate request and then on the agent (vm2) I see:
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for vm2.jhmg.net
info: Certificate Request fingerprint (md5): E2:79:4A:81:21:56:7E:2A:9B:B2:3C:74:27:15:24:4C
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for vm2.jhmg.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
I have ntp running on both VMs, and have verified that their clocks are synchronized to within 1ms of each other.
What ELSE could cause this in such a simple setup?
I'm trying to set up a simple master/agent on two VMs under the same ESXi host.
I start up the master successfully on vm1, then start up the agent on vm2
sudo puppet agent --server vm1 --waitforcert 60 --test
On the master I sign the certificate request and then on the agent (vm2) I see:
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for vm2.jhmg.net
info: Certificate Request fingerprint (md5): E2:79:4A:81:21:56:7E:2A:9B:B2:3C:74:27:15:24:4C
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for vm2.jhmg.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
I have ntp running on both VMs, and have verified that their clocks are synchronized to within 1ms of each other.
What ELSE could cause this in such a simple setup?
Denmat
Mar 31, 2012, 1:01:43 AM3/31/12
to puppet...@googlegroups.com
Try using fully qualified domain name. vm1.blah.com
The server name needs to match the certificate. What you can do is remove all your ssl puppet dirs (usually /var/lib/puppet/ssl) and set certname in your puppet.conf to be what you call the hosts instead of using dns names.
ie: on master:
[main]
certname = puppet.my.com
on client:
[main]
certname = client.my.com
server = puppet.my.com
Then put entries in /etc/hosts to match.
That might help you along a bit.
Den
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6gqr0brEIQAJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jim Garrison
Mar 31, 2012, 1:01:24 PM3/31/12
to puppet...@googlegroups.com
That was it, thanks. I guess I assumed the command would resolve the hostname and provide the FQDN for me.
Reply all
Reply to author
Forward
0 new messages