SSL issues - certificate verify failed
Axel Bock
I have this little issue that my puppet client refuses to do anything because of SSL validation errors. Maybe I'll just post dump of what happens, that makes it clear I hope. Does anyone have a suggestion why that might happen? what I already checked:
On the master:
- Puppet and puppetmaster is running
- Something is listening on Port 8140 (although I cannot telnet-connect to it, it closes immediately for whatever reason)
- in /var/lib/puppet/ssl: find . -type f -delete
On the client:
- in /var/lib/puppet/ssl: find . -type f -delete
I would appreciate any help that's available ...
thanks & greetings! Axel.
... and now the little dump:
(CLIENT)
root@l1311022:/var/lib/puppet/ssl$ puppet agent --test
info: Creating a new SSL key for l1311022.our.domain.de
warning: peer certificate won't be verified in this SSL session (2x)
info: Creating a new SSL certificate request for l1311022.our.domain.de
info: Certificate Request fingerprint (md5): 19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E
warning: peer certificate won't be verified in this SSL session (3x)
Exiting; no certificate found and waitforcert is disabled
(SERVER)
l1215022:/var/lib/puppet/ssl # pca -l
notice: Signed certificate request for ca
notice: Rebuilding inventory file
l1311022.our.domain.de (19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E)
l1215022:/var/lib/puppet/ssl # pca -s --all
notice: Signed certificate request for l1311022.our.domain.de
notice: Removing file Puppet::SSL::CertificateRequest l1311022.our.domain.de at '/var/lib/puppet/ssl/ca/requests/l1311022.our.domain.de.pem'
l1215022:/var/lib/puppet/ssl #
(CLIENT)
root@l1311022:/var/lib/puppet/ssl$ puppet agent --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for l1311022.our.domain.de
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://l1215022.our.domain.de/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The config files look like this:
(CLIENT)
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
modulepath = /etc/puppet/modules:/opt/puppet/share/puppet/modules
[agent]
certname = l1311022.our.domain.de
server = l1215022.our.domain.de
report = true
graph = true
pluginsync = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
(SERVER)
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
certname = l1215022.our.domain.de
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
Axel Bock
thanks anyways!
Axel.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ToaPaY7mtgwJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Axel Bock
thanks anyways!
/Axel.
banjer
puppet cert clean myhost
and on the client:
rm -rf /var/lib/puppet/ssl
Then try it again on your client: `puppet agent --test` Then back to your master: `puppet cert sign myhost`.
