PuppetDB certificate signature failure for /CN=puppetdb
1,584 views
Skip to first unread message
chris mague
Jan 16, 2013, 1:43:35 PM1/16/13
to puppet...@googlegroups.com
I regenerated the puppetdb certs according to the instructions here:
Step 3, Option B
And can verify the cert manually using openssl client
#echo "QUIT" | openssl s_client -connect puppetdb:8081 -CAfile /etc/ssl/certs/puppetdb.pem |grep Verify
Verify return code: 0 (ok)
However I still get the following:
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for host23.example.com to PuppetDB at puppetdb:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=puppetdb]
Where do I place the certs so they are validated by the puppetdb terminus?
Ken Barber
Jan 18, 2013, 12:24:31 PM1/18/13
to Puppet Users
Hi Chris,
The puppetdb terminus should utilise the certificates from the Puppet
master instance it is running from. So from a client/terminus
perspective, you shouldn't have to do anything.
It feels like its the certificates on the puppetdb server that is
having trouble. What are the full results of this command, when ran
from the puppetmaster itself?
openssl s_client -connect puppetdb:8081 -CAfile
/var/lib/puppet/ssl/ca/ca_crt.pem
Note: I'm specifying the CA file to be the CA on the puppetmaster in
this case which is what the puppetdb terminus should use, I wasn't
quite sure /etc/ssl/certs/puppetdb.pem in your case was the correct CA
PEM. Either way, I'm interested in the full output using the
Puppetmasters CA specifically as this is what the puppetdb
terminus/client will use.
Also, what about the contents of the keystore on the puppetdb server
that you configured with those instructions you specified? This is for
example what mine looks like (with the key identifier section
removed):
# keytool -list -v -keystore /etc/puppetdb/ssl/keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: puppetdb1.vm
Creation date: 10-Jan-2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=puppetdb1.vm
Issuer: CN=Puppet CA: puppetdb1.vm
Serial number: 2
Valid from: Wed Jan 09 18:49:41 GMT 2013 until: Tue Jan 09 18:49:41 GMT 2018
Certificate fingerprints:
MD5: 5A:CB:F2:5E:84:27:E8:49:BF:0E:83:3A:3A:A8:EA:09
SHA1: 8F:CA:36:99:93:9F:DB:04:B6:5F:67:45:70:0C:D0:B1:B1:D7:35:D2
SHA256: D0:C4:C5:D4:FA:14:37:B1:74:F5:D9:EB:78:E0:26:71:06:2F:98:E4:EA:BC:22:6C:E6:40:A4:5A:5E:C5:77:8D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 28 50 75 70 70 65 74 20 52 75 62 79 2F 4F 70 .(Puppet Ruby/Op
0010: 65 6E 53 53 4C 20 49 6E 74 65 72 6E 61 6C 20 43 enSSL Internal C
0020: 65 72 74 69 66 69 63 61 74 65 ertificate
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
serverAuth
clientAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: puppet
DNSName: puppet.vm
DNSName: puppetdb1.vm
]
(I've removed the key identifier)
I'm primarily curious to see that the file is in a valid format, and
that the issuer is the CA of your puppetmaster. Like mine shows under
the 'Issuer' part. Generally this is what the designation 'signature'
is all about, referenced in your error message 'certificate signature
failure for /CN=puppetdb'.
Beyond that, we'll want to make sure the CA you have in your
truststore matches the CA on the puppetmaster:
puppetdb # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
puppetdb ca, 10-Jan-2013, trustedCertEntry,
Certificate fingerprint (SHA1):
84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12
puppetmaster # openssl x509 -noout -in
/var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint
SHA1 Fingerprint=84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12
If these don't match, then your truststore contains the wrong CA file.
ken.
master instance it is running from. So from a client/terminus
perspective, you shouldn't have to do anything.
It feels like its the certificates on the puppetdb server that is
having trouble. What are the full results of this command, when ran
from the puppetmaster itself?
openssl s_client -connect puppetdb:8081 -CAfile
Note: I'm specifying the CA file to be the CA on the puppetmaster in
this case which is what the puppetdb terminus should use, I wasn't
quite sure /etc/ssl/certs/puppetdb.pem in your case was the correct CA
PEM. Either way, I'm interested in the full output using the
Puppetmasters CA specifically as this is what the puppetdb
terminus/client will use.
Also, what about the contents of the keystore on the puppetdb server
that you configured with those instructions you specified? This is for
example what mine looks like (with the key identifier section
removed):
# keytool -list -v -keystore /etc/puppetdb/ssl/keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: puppetdb1.vm
Creation date: 10-Jan-2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=puppetdb1.vm
Issuer: CN=Puppet CA: puppetdb1.vm
Serial number: 2
Valid from: Wed Jan 09 18:49:41 GMT 2013 until: Tue Jan 09 18:49:41 GMT 2018
Certificate fingerprints:
MD5: 5A:CB:F2:5E:84:27:E8:49:BF:0E:83:3A:3A:A8:EA:09
SHA1: 8F:CA:36:99:93:9F:DB:04:B6:5F:67:45:70:0C:D0:B1:B1:D7:35:D2
SHA256: D0:C4:C5:D4:FA:14:37:B1:74:F5:D9:EB:78:E0:26:71:06:2F:98:E4:EA:BC:22:6C:E6:40:A4:5A:5E:C5:77:8D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 28 50 75 70 70 65 74 20 52 75 62 79 2F 4F 70 .(Puppet Ruby/Op
0010: 65 6E 53 53 4C 20 49 6E 74 65 72 6E 61 6C 20 43 enSSL Internal C
0020: 65 72 74 69 66 69 63 61 74 65 ertificate
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
serverAuth
clientAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: puppet
DNSName: puppet.vm
DNSName: puppetdb1.vm
]
(I've removed the key identifier)
I'm primarily curious to see that the file is in a valid format, and
that the issuer is the CA of your puppetmaster. Like mine shows under
the 'Issuer' part. Generally this is what the designation 'signature'
is all about, referenced in your error message 'certificate signature
failure for /CN=puppetdb'.
Beyond that, we'll want to make sure the CA you have in your
truststore matches the CA on the puppetmaster:
puppetdb # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
puppetdb ca, 10-Jan-2013, trustedCertEntry,
Certificate fingerprint (SHA1):
84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12
puppetmaster # openssl x509 -noout -in
/var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint
SHA1 Fingerprint=84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12
If these don't match, then your truststore contains the wrong CA file.
ken.
Reply all
Reply to author
Forward
0 new messages