I have a problem on 3 out of ~40 servers that gives the following error:err: Could not request certificate: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failureFrom previous posts, I made sure that SSLVerifyClient is set to optional. I also cleared /var/lib/puppet/ssl/ client side, not that it should make any difference as this error is on the first run of Puppet.When I try to run Puppet from either of these 3 servers, there is nothing noted in /var/log/apache2/* server side. I have confirmed networking is ok with telnet and also checked that there is traffic with tcpdump.Puppet server is at 2.7.11 and client is also at 2.7.11 both from Ubuntu repositories.Any help would be appreciated to find why these 3 particular servers is giving me problems.--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/mzcj4gN-AWQJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ksgzsaL9g1MJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
There is nothing to clean, as "puppet cert --list" or "puppet cert --list --all" does not have an entry for those 3 particular servers.Deleting the client side ssl* makes no difference either. The client will recreate the ssl (good) and the same error pops up, without anything showing up on the master (puppet cert --list).And that is why I thought there is a communication problem. But here is the tcpdump output to show that they are talking:09:01:57.812646 IP my_client.46516 > my_server.8140: Flags [S], seq 1288389639, win 14600, options [mss 1460,sackOK,TS val 1052151283 ecr 0,nop,wscale 4], length 009:01:57.812700 IP my_server.8140 > my_client.46516: Flags [S.], seq 300735116, ack 1288389640, win 14480, options [mss 1460,sackOK,TS val 38287565 ecr 1052151283,nop,wscale 4], length 009:01:57.814298 IP my_client.46516 > my_server.8140: Flags [.], ack 1, win 913, options [nop,nop,TS val 1052151283 ecr 38287565], length 009:01:57.814686 IP my_client.46516 > my_server.8140: Flags [P.], seq 1:175, ack 1, win 913, options [nop,nop,TS val 1052151283 ecr 38287565], length 17409:01:57.814715 IP my_server.8140 > my_client.46516: Flags [.], ack 175, win 972, options [nop,nop,TS val 38287566 ecr 1052151283], length 009:01:57.815226 IP my_server.8140 > my_client.46516: Flags [P.], seq 1:8, ack 175, win 972, options [nop,nop,TS val 38287566 ecr 1052151283], length 709:01:57.815378 IP my_server.8140 > my_client.46516: Flags [F.], seq 8, ack 175, win 972, options [nop,nop,TS val 38287566 ecr 1052151283], length 009:01:57.816686 IP my_client.46516 > my_server.8140: Flags [.], ack 8, win 913, options [nop,nop,TS val 1052151284 ecr 38287566], length 009:01:57.816884 IP my_client.46516 > my_server.8140: Flags [F.], seq 175, ack 9, win 913, options [nop,nop,TS val 1052151284 ecr 38287566], length 009:01:57.816894 IP my_server.8140 > my_client.46516: Flags [.], ack 176, win 972, options [nop,nop,TS val 38287566 ecr 1052151284], length 0As an additional note, when I stop apache and start puppetmaster with its inbuilt web server, then these 3 clients are happy.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/NsecfOnGBsgJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/hostname.tld.pem
openssl s_client -host puppet -port 8140 -cert /path/to/ssl/certs/node.domain.com.pem -key /path/to/ssl/private_keys/node.domain.com.pem -CAfile /path/to/ssl/certs/ca.pem
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/SJL2yF2M0xoJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.