Puppetserver 6.0 -> Error:num=20 and Error:num=21
39 views
Skip to first unread message
Michael Post
Jan 4, 2019, 4:21:47 PM1/4/19
to Puppet Users
Hello,
yesterday and today i set up a new Debian Stretch VM and want to install a fresh environment with puppetserver 6.
I did it twice, but in both ways i got the same error.
:depth=0 CN = xxxx.xxxxxx.xxx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = xxxx.xxxxxx.xxx
verify error:num=21:unable to verify the first certificate
verify return:1
puppet agent -t works fine at the puppetserver-host.
But at the node, i got this error.
I could not find anything at the internet which will made me clear and describe my concrete situation.
Thanks for every hint and help.
Greetings,
Michael
Michael Post
Jan 4, 2019, 4:33:07 PM1/4/19
to Puppet Users
Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post:
Hello,
On the node i can make an "puppet agent -t" and the first time the node is connecting to the puppetserver. At the puppetserver i sign this request with 'puppetserver ca sign --certname=xxxx.xxxxxxxx.xxx' and afterwarts i see the node correct under the section of signed certificates in the list of 'puppetserver ca list --all'.
But on the next 'puppet agent -t' on the node i get the following output:
Info: Caching certificate for 1440zb827eb606d67.purematic.de
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: xxxx.xxxxxxxx.xxx]
Exiting; failed to retrieve certificate and waitforcert is disabled
I did removing old stuff under /var/lib/puppet/ssl and tried it again with a new certification signing at the puppetserver, but with the same effect.
PS: I append multiple alt dns names for the certificate at the puppetserver. With the command 'puppetserver ca list --all' i see all alt dns name.
Greets,
Michael
Message has been deleted
Michael Post
Jan 4, 2019, 5:03:14 PM1/4/19
to Puppet Users
Hello,
Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post:
Hello,
yesterday and today i set up a new Debian Stretch VM and want to install a fresh environment with puppetserver 6.
sometimes it is good to write and think and read more and more.
I solved my problem.
The exact steps are written in the documentation but you have to find it.
It is written under
Puppet agent
You need to do two things to prepare Puppet agent for this CA configuration:
If you copy this file into place before the first Puppet run, you will not recieve any errors. If you attempt a Puppet run prior to this file being present you will receive errors since the auto-distributed ca.pem file doesn’t include the root CA..
Example error:
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=<server>]
Copy the CA bundle in place prior to a Puppet run.
Disable certificate revocation validation.
Copy the CA bundle you created to
Set
Once you’ve completed both of these steps, the agent can run successfully.
Have a nice weekend,
It is written under
You need to do two things to prepare Puppet agent for this CA configuration:
If you copy this file into place before the first Puppet run, you will not recieve any errors. If you attempt a Puppet run prior to this file being present you will receive errors since the auto-distributed ca.pem file doesn’t include the root CA..
Example error:
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=<server>]
Copy the CA bundle in place prior to a Puppet run.
Disable certificate revocation validation.
Copy the CA bundle you created to
/etc/puppetlabs/puppet/ssl/certs/ca.pem on every agent node.Set
certificate_revocation = false in the [main] section of puppet.conf on every agent node:[main]
certificate_revocation = false
certificate_revocation = false
Once you’ve completed both of these steps, the agent can run successfully.
Have a nice weekend,
Michael
Josh Cooper
Jan 4, 2019, 6:27:29 PM1/4/19
to puppet...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ed78a062-6db1-4636-bb78-c2bfbb01cb90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
One clarification. Puppetserver6 has a new workflow for importing an external CA certificate, and issuing an intermediate puppet CA from that. Also puppet6 agents will correctly download the CA bundle and process multiple CRLs, so it is not necessary to disable CRL checking. However the steps you outlined are required for puppet5 agents talking to puppetserver6 when it is using intermediate CA certs, as older agents don't process multiple CRLs correctly.
See https://puppet.com/docs/puppetserver/6.1/intermediate_ca.html for more details..
Josh
--
Reply all
Reply to author
Forward
0 new messages