Puppetserver & puppetdb setup: "Path does not chain with any of the trust anchors"

[Bret Wortman]

I've installed postgresql and it's working with razor just fine. I followed the puppetdb setup instructions for installing it from packages and all looks good except that when puppetserver tries to connect to it, the logs show a variety of java stack traces where the root cause appears to be the above message.

The puppetdb and puppetserver (and razor) are all running on the same host, called "puppet". I can telnet to puppet port 8081 and something looks like it answers. I don't get bounced from the port immediately, anyway. When I browse to it, I get a certificate error in chrome, "...the authenticity of the received data could not be verified."

And, of course, my clients all fail:

:

Info: Loading facts

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to execute '/pdb/cmd/v1?checksum=7afbbb51c169c25ffede98f9bde4d456615392e7' on any of the following 'server_urls': https://puppet.internal.net:8081

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

On the server:

# cat /etc/puppetlabs/puppetdb.conf

[main]

server_urls=https://puppet.internal.net:8081

[database]

classname=org.postgresql.Driver

subprotocol=postgresql

subname=//puppet.internal.net:5432/puppetdb

username=[username]

password=[password]

# cat puppet.conf

[master]

:

storeconfigs = true

storeconfigs_backend = puppetdb

[agent]

classfile = $vardir/classes.txt

localconfig = $vardir/localconfig

reports = puppetdb

pluginsync = true

http_keepalive_timeout = 30

# ls /etc/puppetlabs/puppetdb/ssl

ca.pem  private.pem  public.pem

# lsof -i:8081

COMMAND  PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

java    5151 puppetdb  33u  IPv6 887988      0t0 TCP puppet.internal.net:tproxy (LISTEN)

# netstat -a | grep 8081
# netstat -a | grep 8080

#

Those last two have me confused, but I'm not sure they're indicative of a problem. Anyone seen this before or have any idea where to look next? 

[Bret Wortman]

I brought the puppetdb module and dependencies over to our development network and tried using it. All goes well until it tries to connect:

Notice: Unable to connect to puppetdb server (https://puppet.internal.net:8081): SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet.internal.net]

Notice: Failed to connect to puppetdb; sleeping 2 seconds before retry

And this just loops. Does this point to a problem with puppetserver or puppetdb?