Re: [Puppet Users] puppet cert list yields no certs - SOLVED (sort of!)
10 views
Skip to first unread message
Matt Zagrabelny
Jan 8, 2016, 2:59:45 PM1/8/16
to puppet...@googlegroups.com
On Thu, Jan 7, 2016 at 5:41 PM, Matt Zagrabelny <mzag...@d.umn.edu> wrote:
> On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis <alt...@alter3d.ca> wrote:
>> Apparently I was a little too quick on the send button. :(
>>
>> To continue my previous email:
>>
>> Does 'puppet cert list --all' show any certs at all?
>
> Yep:
>
> # puppet cert list --all
> + "puppet-client-1.example.net" (SHA256)
> A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82
> + "puppet-3-7.example.net" (SHA256)
> E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24
> (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net")
>
> I don't remember what I did to get the master to accept the CSR of
> puppet-client-1 earlier, but I did have similar issues where I ran the
> client and the master didn't show any unsigned certs when running
> "puppet cert list".
>
> That was a few weeks ago. I'm just coming back to puppet 3.7 now.
Regenerating the client cert and connecting to the master seems to get
me one step further.
client:
find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete
server:
puppet cert clean puppet-client.example.net
client:
puppet agent -t --server puppet-3-7 --debug
server:
puppet cert list
"puppet-client.example.net" (SHA256)
E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB
puppet cert sign puppet-client.example.net
client:
puppet agent -t --server puppet-3-7 --debug
[...]
Error: Could not request certificate: SSL_connect returned=1 errno=0
state=unknown state: certificate verify failed: [self signed
certificate in certificate chain for /CN=Puppet CA:
puppet-3-7.example.net]
Exiting; failed to retrieve certificate and waitforcert is disabled
Then performing the above steps, but clearing out all .pem files on
the client seemed to fix the issue.
Cheers!
-m
> On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis <alt...@alter3d.ca> wrote:
>> Apparently I was a little too quick on the send button. :(
>>
>> To continue my previous email:
>>
>> Does 'puppet cert list --all' show any certs at all?
>
> Yep:
>
> # puppet cert list --all
> + "puppet-client-1.example.net" (SHA256)
> A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82
> + "puppet-3-7.example.net" (SHA256)
> E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24
> (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net")
>
> I don't remember what I did to get the master to accept the CSR of
> puppet-client-1 earlier, but I did have similar issues where I ran the
> client and the master didn't show any unsigned certs when running
> "puppet cert list".
>
> That was a few weeks ago. I'm just coming back to puppet 3.7 now.
Regenerating the client cert and connecting to the master seems to get
me one step further.
client:
find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete
server:
puppet cert clean puppet-client.example.net
client:
puppet agent -t --server puppet-3-7 --debug
server:
puppet cert list
"puppet-client.example.net" (SHA256)
E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB
puppet cert sign puppet-client.example.net
client:
puppet agent -t --server puppet-3-7 --debug
[...]
Error: Could not request certificate: SSL_connect returned=1 errno=0
state=unknown state: certificate verify failed: [self signed
certificate in certificate chain for /CN=Puppet CA:
puppet-3-7.example.net]
Exiting; failed to retrieve certificate and waitforcert is disabled
Then performing the above steps, but clearing out all .pem files on
the client seemed to fix the issue.
Cheers!
-m
Reply all
Reply to author
Forward
0 new messages