| Hi all, i have followed a repo install on Ubuntu. When testing the agent, i was getting the below: {{C:\Windows\system32>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving plugin
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]}} I have troubleshooted to the following: 1) There is no CRL created in CA 2) Auto-downloaded window agent has a ca.pem, but this contains one cert only... when downloading from the puppet master shows https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca two chained certificates in the same file. 3) O the agent leaving everything as is (with the auto downloaded ca.pem that only contans the single cert), and testing the chain with openssl throws an error: C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: CN = Puppet CA: puppet.mydomain.com
error 2 at 1 depth lookup:unable to get issuer certificate 3) On the agent, replacing C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs with the downloaded (from step 2) and renaming to ca.pem, then allows openssl to pass: C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: OK 4) Trying to run with the above causes a failure {{C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=Puppet CA: puppet.mydomain.com]}} 5) Setting the agent config {{[main]
server=puppet.mydomain.com}} autoflush=true manage_internal_file_permissions=false certificate_revocation = false Then allowed the agent test to run {{Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for home-hv1
Info: Applying configuration version '1559933691'}} {{}} |
