Any hints on how to get past "Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain"?

[gbif...@gmail.com]

Hello everyone, 

Centos 7.1, puppet 3.6.2. 

The agent can't request a certificate signing because the SSL connection to the master doesn't work "Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain"

Initially, I could verify that underlying openssl will return a connection error using both "openssl s_client -connect host:8140 "and a simple ruby program where I "http.start { http.request(req) } " and then check for SSL errors. 

But then using the -showcerts option in the openssl command above I could see and copy the master's cert into /etc/pki/ca-trust/source/anchors/host.pem after which I run update-ca-trust. Predictably enough both the openssl s_client and my ruby test would then connect OK to the master on port 8140; yet agent -t keeps returning an error. 

I've searched for all .pems on the instance:

/var/lib/puppet/ssl/certificate_requests/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem

/var/lib/puppet/ssl/public_keys/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem

/var/lib/puppet/ssl/private_keys/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem

/var/lib/puppet/ssl/certs/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem

/var/lib/puppet/ssl/certs/ca.pem

/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem

/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

/etc/pki/ca-trust/source/anchors/host.pem

/etc/pki/tls/cert.pem

/usr/share/rubygems/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem

/usr/share/rubygems/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem

/usr/share/rubygems/rubygems/ssl_certs/GeoTrustGlobalCA.pem

/usr/share/rubygems/rubygems/ssl_certs/ca-bundle.pem

/usr/share/rubygems/rubygems/ssl_certs/host.pem

/usr/share/rubygems/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem

The "/usr/share/rubygems/rubygems/ssl_certs/ca-bundle.pem" is just a link to "/etc/pki/tls/cert.pem" which in turn is controlled by update-ca-trus but, just as an extra check, if I grep for the master's cert in "/etc/pki/tls/cert.pem" I get a match. As you can see above, I've also added host.pem (an exact copy of the master's cert) into "/usr/share/rubygems/rubygems/ssl_certs/" but to no avail... it was a desperate measure, I agree, if only because the said pem was anyway included in "/etc/pki/tls/cert.pem" but I'm really running out of ideas. A strace -e trace=file shows that the only .pem files read by "puppet agent -t" are the ones from "/var/lib/puppet/ssl/" and the one from "/etc/pki/tls/cert.pem". Since both openssl s_client and my test ruby work, the whole thing should have worked... yet it doesn't; Any hints? :-|

[gbif...@gmail.com]

Sorry, forgot to mention that I have of course rm-ed -rf ssl/* on both the agent and master with puppet stopped and then followed the procedure to rebuild the keys. In fact this is how it all started: I deleted the master's key by mistake so I had to follow the procedure to rebuild the CA on the master but even with a full client re-install I'm still facing the error. Server is native puppet, no Apache/Passenger.