Jira (PDB-4446) puppet query: certificate verify failed

John Florian (JIRA)

unread,

Jun 27, 2019, 7:32:03 PM6/27/19

to puppe...@googlegroups.com

John Florian created an issue

PuppetDB /

PDB-4446

puppet query: certificate verify failed

Issue Type:	Bug
Affects Versions:	PDB 6.3.4
Assignee:	Unassigned
Components:	PuppetDB
Created:	2019/06/27 4:31 PM
Environment:	PuppetDB is on CentOS 7 using puppetdb-6.3.4-1.el7.noarch from the puppet6 repo. The CLI is on Fedora 30 using the puppetdb_cli-2.0.0.gem. This same host has puppet-5.5.10-4.fc30.noarch from the regular Fedora repos.
Priority:	Normal
Reporter:	John Florian

Following the installation/configuration instructions at https://puppet.com/docs/puppetdb/6.3/pdb_client_tools.html, I have been unable to perform a simple test query. These fail like:

{{$ sudo puppet query "nodes [ certname ]{ limit 1 }" }}
{{Traceback (most recent call last): }}
{{        20: from /usr/local/bin/puppet-query:23:in `<main>' }}
{{        19: from /usr/local/bin/puppet-query:23:in `load' }}
{{        18: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/exe/puppet-query:7:in `<top (required)>' }}
{{        17: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli.rb:13:in `run' }}
{{        16: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:314:in `run' }}
{{        15: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:296:in `run' }}
{{        14: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:360:in `run_this' }}
{{        13: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli/query.rb:34:in `block (2 levels) in <module:PuppetDBCLI>' }}
{{        12: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli/utils.rb:41:in `send_query' }}
{{        11: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:103:in `request' }}
{{        10: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:103:in `each' }}
{{         9: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:105:in `block in request' }}
{{         8: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty.rb:507:in `get' }}
{{         7: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty.rb:593:in `perform_request' }}
{{         6: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty/request.rb:145:in `perform' }}
{{         5: from /usr/share/ruby/net/http.rb:1470:in `request' }}
{{         4: from /usr/share/ruby/net/http.rb:919:in `start' }}
{{         3: from /usr/share/ruby/net/http.rb:930:in `do_start' }}
{{         2: from /usr/share/ruby/net/http.rb:996:in `connect' }}
{{         1: from /usr/share/ruby/net/protocol.rb:44:in `ssl_socket_connect' }}
/usr/share/ruby/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError)

My CLI config (/etc/puppetlabs/client-tools/puppetdb.conf) is :

{{{ }}
{{ "puppetdb": { }}
{{    "server_urls": "https://puppetdb.doubledog.org:8081", }}
{{    "cacert": "/etc/puppet/ssl/certs/ca.pem", }}
{{    "cert": "/etc/puppet/ssl/certs/zuul.doubledog.org.pem", }}
{{    "key": "/etc/puppet/ssl/private_keys/zuul.doubledog.org.pem" }}
{{ } }}
}

This leaves me with little to debug the connection with. I did an md5sum on the client /etc/puppet/ssl/certs/ca.pem and confirmed it matches both /etc/puppetlabs/puppetdb/ssl/ca.pem and /etc/puppetlabs/puppet/ssl/certs/ca.pem on the Master/DB host. What now? Could this be the CRL checking problem that agents have with the new(ish) intermediate CA cert? FWIW, this client requires certificate_revocation = leaf to work around that issue.

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

John Florian (JIRA)

unread,

Jun 27, 2019, 7:34:02 PM6/27/19

to puppe...@googlegroups.com

John Florian updated an issue

PuppetDB /

PDB-4446

puppet query: certificate verify failed

Change By:	John Florian

Following the installation/configuration instructions at [https://puppet.com/docs/puppetdb/6.3/pdb_client_tools.html], I have been unable to perform a simple test query. These fail like:

{{

John Florian (JIRA)

unread,

Jun 27, 2019, 7:35:03 PM6/27/19

to puppe...@googlegroups.com

John Florian (JIRA)

unread,

Jun 27, 2019, 7:36:03 PM6/27/19

to puppe...@googlegroups.com

John Florian updated an issue

PuppetDB /

PDB-4446

puppet query: certificate verify failed

Change By:	John Florian

Following the installation/configuration instructions at [https://puppet.com/docs/puppetdb/6.3/pdb_client_tools.html], I have been unable to perform a simple test query. These fail like:

{\{ ~~~

$ sudo puppet query "nodes [ certname ]

{ limit 1 }

"
Traceback (most recent call last):
       20: from /usr/local/bin/puppet-query:23:in `<main>'
       19: from /usr/local/bin/puppet-query:23:in `load'
       18: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/exe/puppet-query:7:in `<top (required)>'
       17: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli.rb:13:in `run'
       16: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:314:in `run'
       15: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:296:in `run'
       14: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:360:in `run_this'
       13: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli/query.rb:34:in `block (2 levels) in <module:PuppetDBCLI>'
       12: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli/utils.rb:41:in `send_query'
       11: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:103:in `request'
       10: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:103:in `each'
        9: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:105:in `block in request'
        8: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty.rb:507:in `get'
        7: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty.rb:593:in `perform_request'
        6: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty/request.rb:145:in `perform'
        5: from /usr/share/ruby/net/http.rb:1470:in `request'
        4: from /usr/share/ruby/net/http.rb:919:in `start'
        3: from /usr/share/ruby/net/http.rb:930:in `do_start'
        2: from /usr/share/ruby/net/http.rb:996:in `connect'
        1: from /usr/share/ruby/net/protocol.rb:44:in `ssl_socket_connect'
/usr/share/ruby/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError) }}

~~~

My CLI config (/etc/puppetlabs/client-tools/puppetdb.conf) is :

{\{{ }}
\{{ "puppetdb": { }}
\{{    "server_urls": "https://puppetdb.doubledog.org:8081", }}
\{{    "cacert": "/etc/puppet/ssl/certs/ca.pem", }}
\{{    "cert": "/etc/puppet/ssl/certs/zuul.doubledog.org.pem", }}
\{{    "key": "/etc/puppet/ssl/private_keys/zuul.doubledog.org.pem" }}
{

{ }

}}
{{}}}

This leaves me with little to debug the connection with. I did an md5sum on the client /etc/puppet/ssl/certs/ca.pem and confirmed it matches both /etc/puppetlabs/puppetdb/ssl/ca.pem and /etc/puppetlabs/puppet/ssl/certs/ca.pem on the Master/DB host. What now? Could this be the CRL checking problem that agents have with the new(ish) intermediate CA cert? FWIW, this client requires {{certificate_revocation = leaf}} to work around that issue.

Add Comment

John Florian (JIRA)

unread,

Jun 27, 2019, 7:38:03 PM6/27/19

to puppe...@googlegroups.com

{\{{ }} ~~~
\ { {

"puppetdb": { }}
\{{     "server_urls": "https://puppetdb.doubledog.org:8081", }}
\{{     "cacert": "/etc/puppet/ssl/certs/ca.pem", }}
\{{     "cert": "/etc/puppet/ssl/certs/zuul.doubledog.org.pem", }}
\{{     "key": "/etc/puppet/ssl/private_keys/zuul.doubledog.org.pem" }}
{

{ }

} }

{{}}} ~~~

This leaves me with little to debug the connection with. I did an md5sum on the client /etc/puppet/ssl/certs/ca.pem and confirmed it matches both /etc/puppetlabs/puppetdb/ssl/ca.pem and /etc/puppetlabs/puppet/ssl/certs/ca.pem on the Master/DB host. What now? Could this be the CRL checking problem that agents have with the new(ish) intermediate CA cert? FWIW, this client requires {{certificate_revocation = leaf}} to work around that issue.

(My apologies for the markup, I can't make it work.)

Add Comment

Aaron (Jira)

unread,

Jun 22, 2020, 5:44:03 PM6/22/20

to puppe...@googlegroups.com

Aaron commented on

PDB-4446

Re: puppet query: certificate verify failed

I'm experiencing the same behavior with puppetdb version 6.11.0-1.el7 on centos 7.8.2003.

# puppet query 'facts [] { name="puppet_major_version" }'

Traceback (most recent call last):

	20: from /opt/puppetlabs/bin/puppet-query:23:in `<main>'

	19: from /opt/puppetlabs/bin/puppet-query:23:in `load'

	18: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/puppetdb_cli-2.0.1/exe/puppet-query:7:in `<top (required)>'

	17: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/puppetdb_cli-2.0.1/lib/puppetdb_cli.rb:13:in `run'

	16: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/cri-2.15.10/lib/cri/command.rb:314:in `run'

	15: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/cri-2.15.10/lib/cri/command.rb:296:in `run'

	14: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/cri-2.15.10/lib/cri/command.rb:360:in `run_this'

	13: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/puppetdb_cli-2.0.1/lib/puppetdb_cli/query.rb:30:in `block (2 levels) in <module:PuppetDBCLI>'

	12: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/puppetdb_cli-2.0.1/lib/puppetdb_cli/utils.rb:43:in `send_query'

	11: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/pl-puppetdb-ruby-2.0.3/lib/puppetdb/client.rb:103:in `request'

	10: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/pl-puppetdb-ruby-2.0.3/lib/puppetdb/client.rb:103:in `each'

	 9: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/pl-puppetdb-ruby-2.0.3/lib/puppetdb/client.rb:105:in `block in request'

	 8: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/httparty-0.18.1/lib/httparty.rb:508:in `get'

	 7: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/httparty-0.18.1/lib/httparty.rb:594:in `perform_request'

	 6: from /opt/puppetlabs/puppet/lib/ruby/gems/2.5.0/gems/httparty-0.18.1/lib/httparty/request.rb:145:in `perform'

	 5: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1458:in `request'

	 4: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:909:in `start'

	 3: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:920:in `do_start'

	 2: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:985:in `connect'

	 1: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'

/opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError)

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

Aaron (Jira)

unread,

Jun 22, 2020, 5:50:02 PM6/22/20

to puppe...@googlegroups.com

Aaron commented on

PDB-4446

Re: puppet query: certificate verify failed

Just an FYI- in my case, I was using localhost (since the cli is installed on the puppetdb server) in the server_urls option. Changing it to the FQDN of the machine solved the issue for me. In my case, I'm guessing that the server_urls have to match the subject of the certificate offered by puppetdb on its initial SSL negotiation.

Add Comment

Reply all

Reply to author

Forward