Certificate verify failed when syncing to self

[llo...@oreillyauto.com]

I am using puppet to control my master, but currently when the agent runs (on the master) I am getting "err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client"

What else can be the cause of this? The time can't be out of sync - it's the same VM that is both Agent and Master.

I have been able to successfully sync this way before but this is a dev environment so have been playing with my manifests and modules a lot.

I have not, however, touched my certs since those got working.

[llo...@oreillyauto.com]

Please disregard, my puppet.conf had accidentally gotten overwritten and it was trying to pull from the wrong master as a result.

[Jeff McCune]

On Friday, November 2, 2012, hasufel wrote:

I'm having this issue, too.

What version of Puppet?  Is the master using a different confdir than it was in a previous version?  The semantics of the default confdir have changed as of 3.0.

-Jeff 

[hasufel]

I'm using Puppet 2.7.14, on a CentOS 6.3 VM.  I'm using the VM for both the master and agent, and I was able to get things running using "puppet apply site.pp", but I can't get things running with "puppet agent --test"; it gives me the following errors:

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

I have another VM (a copy of the original) that I use just as an agent (with the first VM as the master), and I've been getting that same error on there for even longer.

[hasufel]

I've tried clearing out the SSL directory and cleaning the certificates, but it's still giving me the same errors.

[Jeff McCune]

On Fri, Nov 2, 2012 at 2:24 PM, hasufel <meve...@hammers.com> wrote:

I've tried clearing out the SSL directory and cleaning the certificates, but it's still giving me the same errors.

How is the master process being started?  Could you paste the exact command with the complete argument vector if it's from an init script, or your rack configuration if it's using the rack middleware?

Similarly, How is the agent process being started?  Is it just puppet agent --test as root?

-Jeff

[hasufel]

To properly reply to you, I killed my puppet process, and restarted it, and somehow everything started working correctly with "puppet agent --test", from the master VM.  However, the agent VM is still giving the same error, so I guess it's possible it's now just a time issue.

The master process I usually start with "puppet master --mkusers", and the agent process I usually start with "puppet agent --test", both while in root.