SSL Certificate errors - Migrating from build in webserver to Apache and Passenger
Tom Hallam
Hi All
I've been running Puppet using the build in web server and I'm now moving to Apache and Passenger. I've completed the installation and started testing. If I run
puppet agent --test --noop
I get the following error (domain removed)
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ecm-rhl-001...]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ecm-rhl-001...]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ecm-rhl-001....] Could not retrieve file metadata for puppet://puppet..../plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ecm-rhl-001...]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ecm-rhl-001...]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ecm-rhl-001...]
If I turn apache off and the built in webserver back on it all works.
The server I'm running puppet on server that has a CNAME "puppet...." that points to its real name "ecm-rhl-001...". Apache site is configured with "ecm-rhl-001..." as the servername and "puppet..." as server alias. The system returns 'ecm-rhl-001' for hostname and 'ecm-rhl-001....' for hostname -f. The certificate has "ecm-rhl-001..." as its CN and "puppet..." as one of its "alt names". Obviously the cert is OK as it works with the built in webserver. It looks like I'm missing something in the apache SSL or Passenger configuration but I have no idea what.
I've tried various permutations of servername and serveralias without success. Changing the server name in the agent configuration so it users the real name instead of the CNAME also does not fix the issue.
Any suggestions?
Tom
Spencer Krum
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Spencer Krum
(619)-980-7820
Tom Hallam
openssl s_client -connect puppet...:8140 -showcerts </dev/null >/tmp/file
To get the certificates from each server and they are not the same. I've checked /etc/puppet/ssl and the Pasenger configuration is giving me the same certificates as are in there. Can't find ones that match WebBricks certificates.
Tom
Tom Hallam
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.