SSL Cert issues - Puppet Agent and Master on same host

107 views
Skip to first unread message

kevin.m...@gmail.com

unread,
Nov 18, 2014, 4:26:50 PM11/18/14
to puppet...@googlegroups.com
Currently trying to get puppet, katello and foreman to play nicely.  Everything except puppet is working as I would expect.  

No matter what I try, whether it be blasting the /var/lib/puppet/ssl directory, running --clean (or whatever the commands are), or trying all the steps on the Puppet troubleshooting page, I always get the same messages---

[root@----- ]# puppet agent -t
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve information from environment production source(s) my-puppet-svr
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find node 'my-puppet-svr'; cannot compile
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

[root@----- puppet]# ./node.rb my-puppet-svr
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Since the puppet agent and master are running on the same machine and using the same physical certificate files, I do not understand what the issue is....

Any help is greatly appreciated.

Johan De Wit

unread,
Nov 19, 2014, 6:24:28 AM11/19/14
to puppet...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d1477d4d-451a-45ae-bfb5-5bd3d8b8a2f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
netstat -tupln | grep 8140 : is puppet master up and running and listening

iptables -L -n :  firewall settings correct

ping my-puppet-svr : name resolution working

Just checking the obvious stuff first ...



-- 
Johan De Wit

Open Source Consultant

Red Hat Certified Engineer              (805008667232363)
Puppet Certified Professional 2013/2014 (PCP0000006)
_________________________________________________________
 
Open-Future                 Phone     +32 (0)2/255 70 70
Zavelstraat 72              Fax       +32 (0)2/255 70 71
3071 KORTENBERG             Mobile    +32 (0)474/42 40 73
BELGIUM                     http://www.open-future.be
_________________________________________________________

Upcoming Events:

Puppet Introduction Course | http://www.open-future.be/puppet-introduction-course-10th-november

Puppet Fundamentals Training | http://www.open-future.be/puppet-fundamentals-training-12-till-14th-november

Zabbix Certified Specialist | http://www.open-future.be/zabbix-certified-specialist-training-17-till-19th-november

Zabbix Certified Professional | http://www.open-future.be/zabbix-certified-professional-training-20-till-21st-november

Subscribe to our newsletter: http://eepurl.com/BUG8H

kevin.m...@gmail.com

unread,
Nov 19, 2014, 9:24:58 AM11/19/14
to puppet...@googlegroups.com


On Wednesday, November 19, 2014 6:24:28 AM UTC-5, Johan De Wit wrote:


netstat -tupln | grep 8140 : is puppet master up and running and listening

iptables -L -n :  firewall settings correct

ping my-puppet-svr : name resolution working

Just checking the obvious stuff first ...


[root@e-imgsrv puppet]# netstat -tulpn | grep 8140
tcp        0      0 0.0.0.0:8140                0.0.0.0:*                   LISTEN      48905/ruby 

Don't have any firewall settings as network is unreachable from outside, but....
[root@e-imgsrv puppet]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

PING e-imgsrv.ufhpc (172.16.168.80) 56(84) bytes of data.
64 bytes from e-imgsrv.ufhpc (172.16.168.80): icmp_seq=1 ttl=64 time=0.016 ms
64 bytes from e-imgsrv.ufhpc (172.16.168.80): icmp_seq=2 ttl=64 time=0.020 ms

kevin.m...@gmail.com

unread,
Nov 19, 2014, 9:25:01 AM11/19/14
to puppet...@googlegroups.com

Felix Frank

unread,
Nov 22, 2014, 3:53:38 PM11/22/14
to puppet...@googlegroups.com
On 11/18/2014 10:26 PM, kevin.m...@gmail.com wrote:
> [root@----- puppet]# ./node.rb my-puppet-svr
> Could not send facts to Foreman: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed

Hmm, I don't know which TCP port is used to contact Foreman, but I
suggest using `openssl s_client` to see which certificate is being
presented, and to see whether it can be verified using -CAfile.

HTH,
Felix
Reply all
Reply to author
Forward
0 new messages