Need help in addressing this error - ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca

[Dhanarajan Ponnurangam]

Hi ,

I am new to this puppet. I am implementing a network where my cisco switch will contact the puppet server for getting  the configuration.
I tried installing open source puppet and was successful in pushing down the configurations.

I wanted then to try the same exercise with puppet enterprise 3.1. I installed puppet enterprise in a different server and changed my puppet agent (switch) to reflect this new server as the puppet master.
I have autosign.conf created under /etc/puppet-labs/puppet/  with the entry *.<domain_name>.com. I have site.pp and other files specific for cisco device as I had in previous exercise(open source puppet).
When I initiaite the puppet master using the command "puppet master -d --no-daemonize" I see the following error in /var/log/pe-puppet/masterhttp.log,

I did a websearch and tried all the options available, but still the error pops out continuously. Not sure if am missing anything.
Could anyone please help me in addressing the below issue.

Appreciate your inputs on the same.


[2013-12-12 08:55:39] INFO  WEBrick 1.3.1
[2013-12-12 08:55:39] INFO  ruby 1.9.3 (2013-06-27) [x86_64-linux]
[2013-12-12 08:55:39] DEBUG TCPServer.new(0.0.0.0, 8140)
[2013-12-12 08:55:39] INFO 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Puppet CA generated on savbu-razor-server.cisco.com at 2013-12-10 05:05:10 -0800
        Validity
            Not Before: Dec 11 16:55:39 2013 GMT
            Not After : Dec 11 16:55:39 2018 GMT
        Subject: CN=10.193.174.38
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c2:a9:e2:8b:17:21:ca:65:65:9b:d2:76:0c:06:
                    d9:aa:4c:6c:df:55:45:7a:34:5a:a6:ab:af:7a:cc:
                    5d:a7:23:3e:66:61:9d:70:cf:4b:2c:d0:7f:dd:3a:
                    a6:95:ee:83:39:5d:ee:1b:f1:1c:29:71:68:dc:37:
                    c5:e7:c9:d0:cc:05:22:2c:c7:a9:18:10:ff:2b:1f:
                    76:43:96:64:44:9d:79:9d:8b:81:2d:da:d7:5b:25:
                    10:cc:4c:c3:93:7e:83:08:19:41:fe:93:a7:c0:8f:
                    60:bc:aa:f9:5d:3d:f1:95:8e:73:38:ac:64:71:46:
                    67:88:83:34:a2:9e:a1:6e:4b:27:ce:94:27:82:b4:
                    c9:0c:fc:a7:4f:93:d5:20:f6:4a:14:68:87:d8:8e:
                    8c:1b:5c:47:06:e2:b6:f4:37:d2:60:f7:e3:d7:bf:
                    e0:21:b2:a7:10:1b:92:1b:4f:ef:cc:f1:dc:f8:57:
                    29:81:09:06:b1:00:aa:e5:76:23:12:6f:10:b3:63:
                    8a:8c:2b:08:46:10:66:e5:4a:3a:ab:b4:b9:4c:67:
                    5f:9e:01:46:45:dd:19:bf:c1:ad:1a:c3:19:3a:a5:
                    0d:28:96:41:9b:67:16:7e:98:92:ec:46:86:ee:e1:
                    07:87:62:56:32:7f:05:f6:89:c6:b1:e4:85:7e:52:
                    10:4e:b6:fd:11:e3:74:dd:4e:48:90:11:9a:aa:95:
                    59:92:9a:88:a5:99:45:00:82:68:c7:93:fb:5f:13:
                    04:1d:75:87:4d:f7:97:62:08:ce:5d:19:ee:6f:71:
                    d2:cf:f9:46:4e:a2:8e:3b:a7:00:55:2c:e2:0e:ee:
                    56:d7:62:8f:9b:d8:20:6f:f7:e4:8c:f9:69:6c:d5:
                    b5:9f:53:68:ed:d8:85:0a:1f:4d:41:36:2b:9c:a3:
                    81:b0:77:78:8e:6e:47:c2:6e:00:ca:4d:f9:32:1e:
                    0f:98:8a:14:0d:f7:dd:ed:55:06:ae:62:3d:73:0c:
                    35:23:be:a2:9a:69:84:2e:e5:5b:9c:ca:8f:f7:02:
                    b9:1b:1a:e2:66:47:e2:7c:55:21:42:78:0e:dd:7e:
                    1a:cd:ad:6e:e1:f5:cc:42:b4:fd:cb:23:73:cf:58:
                    8d:ad:5a:b3:f1:f0:eb:fd:98:96:c0:54:c8:1a:64:
                    8a:a3:a1:e2:67:ca:dc:76:4a:cb:7b:e5:55:54:31:
                    c1:6c:7b:03:16:cb:b1:d6:dd:10:1e:c8:e8:34:d1:
                    22:b8:33:95:72:6c:48:75:65:35:e8:6f:17:66:7b:
                    34:10:d8:b8:2b:8c:ef:70:68:b3:62:b3:62:ac:30:
                    21:74:49:c6:c1:34:9c:ac:be:e8:da:04:79:e9:d7:
                    60:44:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                Puppet Ruby/OpenSSL Internal Certificate
            X509v3 Subject Alternative Name:
                DNS:10.193.174.38, DNS:puppet, DNS:puppet.cisco.com, DNS:savbu-razor-server.cisco.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                5B:08:3C:EA:AE:04:4E:A5:DF:FB:8A:77:73:F8:04:31:76:DD:F1:E4
    Signature Algorithm: sha256WithRSAEncryption
         d0:94:b2:9d:8f:06:db:2c:57:92:a8:d6:2c:e8:26:bd:7e:38:
         ac:ea:79:38:13:f4:02:0b:23:5b:1d:44:8d:75:a8:87:69:57:
         03:83:cf:1c:a9:1b:9c:60:78:80:74:56:68:3d:9d:11:14:7d:
         cf:d0:9c:d5:96:1f:11:63:07:c9:57:d1:b3:24:63:b7:6e:63:
         9d:9a:28:bc:34:a7:7f:19:f2:d4:39:0c:e8:3f:89:72:96:7f:
         2a:61:f2:b6:ef:2d:7c:b2:a5:2e:61:f8:dc:60:dd:dc:2f:6e:
         25:5f:05:19:de:39:6a:af:4d:49:e4:f0:86:00:3a:95:e2:84:
         2e:37:74:25:99:f8:0e:15:57:5a:43:d8:54:db:65:35:85:0a:
         6e:aa:95:ff:11:95:4c:0d:f2:e9:35:2e:d3:22:b2:7d:cf:f4:
         97:0c:3c:eb:35:2e:27:83:9f:7f:7c:8e:36:df:d6:b1:4c:d5:
         02:d1:ba:f9:52:db:96:45:8e:21:d2:4f:fd:73:6e:ac:4a:c6:
         08:50:73:28:64:03:2f:fb:26:af:41:24:a9:97:e2:81:b1:81:
         c2:d6:fc:fa:4c:8b:a9:22:9c:a1:13:24:94:ca:9b:f3:61:3a:
         d8:28:16:c4:8c:77:c2:28:bc:a4:67:5a:cc:8c:b6:08:15:ce:
         7a:90:fb:61:a7:cd:9b:d9:c5:18:bb:31:9e:be:29:cf:e3:21:
         58:22:89:60:db:5d:f0:42:2b:25:58:ca:7a:b8:cb:eb:18:27:
         6f:6d:af:66:61:c9:83:94:cd:c2:5f:11:3a:59:e5:18:60:48:
         2a:5e:6f:91:70:1a:81:dc:f2:f1:4d:c9:5e:49:e9:81:39:ed:
         9b:e0:d5:ab:0e:42:61:6a:19:d8:a7:25:0d:b5:09:05:f7:2e:
         5b:5b:67:6e:7c:7b:9a:e9:29:42:40:0b:97:88:e9:a9:82:87:
         ad:af:59:6a:2c:e3:35:6e:a0:26:a2:4f:5f:d6:2c:c1:ab:e5:
         89:3b:df:44:e9:60:1e:6f:10:70:f4:f1:80:50:20:38:e5:1a:
         cb:5b:53:a2:44:71:f2:a3:af:58:3e:83:65:f1:60:30:b7:09:
         32:9b:42:3e:88:d5:27:6d:0b:8e:fa:28:da:b2:a9:65:81:4b:
         ab:50:e9:b0:bd:ec:fb:0b:3c:69:20:f8:df:ff:6d:93:1d:77:
         60:77:8d:48:45:c0:38:e4:77:6a:3a:09:c9:51:b4:bc:29:bd:
         61:e2:b7:f5:30:ed:e3:e1:ae:cd:32:18:e0:d1:7c:b0:ff:ca:
         ae:f0:cc:a1:3a:27:b5:38:5c:56:ab:4c:f4:8c:1a:18:ca:3b:
         d8:2c:23:3c:3d:4f:18:e0
[2013-12-12 08:55:39] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted on /.
[2013-12-12 08:55:39] INFO  WEBrick::HTTPServer#start: pid=4808 port=8140
[2013-12-12 08:56:07] DEBUG accept: 10.193.174.147:32849
[2013-12-12 08:56:07] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
    /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in `accept'
    /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in `block (3 levels) in listen'
    /opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `call'
    /opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread'
[2013-12-12 08:56:07] DEBUG close: 10.193.174.147:32849
[2013-12-12 08:56:07] DEBUG accept: 10.193.174.147:32918
[2013-12-12 08:56:07] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
    /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in `accept'
    /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in `block (3 levels) in listen'
    /opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `call'
    /opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread'
[2013-12-12 08:56:07] DEBUG close: 10.193.174.147:32918

[jcbollinger]

On Thursday, December 12, 2013 3:14:09 AM UTC-6, Dhanarajan Ponnurangam wrote:

Hi ,

I am new to this puppet. I am implementing a network where my cisco switch will contact the puppet server for getting  the configuration.
I tried installing open source puppet and was successful in pushing down the configurations.

I wanted then to try the same exercise with puppet enterprise 3.1. I installed puppet enterprise in a different server and changed my puppet agent (switch) to reflect this new server as the puppet master.
I have autosign.conf created under /etc/puppet-labs/puppet/  with the entry *.<domain_name>.com. I have site.pp and other files specific for cisco device as I had in previous exercise(open source puppet).
When I initiaite the puppet master using the command "puppet master -d --no-daemonize" I see the following error in /var/log/pe-puppet/masterhttp.log,

The agent created a certificate when it first ran, and requested that the original master -- which by default serves as CA -- to sign it.  When you point that agent at a different master that, like the first, serves as its own CA, the agent continues to use its existing certificate.  The new master does not recognize the original one as a trusted CA, however, so it rejects the agent's certificate.

If necessary, it is possible to configure your masters to use a central CA instead of each serving as its own.  If something like that is not done, however, then you need to clean out agents' certificates when you transfer them between masters.  To do so, simply delete the client's entire puppet SSL directory, typically located at /var/lib/puppet/ssl.  (But not on your master!)  You will typically then also want to revoke the client's certificate and delete it from the original master ("puppet cert clean <certname>" for Puppet OS), though it's not strictly necessary to do so.


John