Multiple puppet masters and problem with crl.pem
859 views
Skip to first unread message
Angel L. Mateo
Apr 27, 2016, 8:41:51 AM4/27/16
to puppet...@googlegroups.com
Hello,
I'm deploying multiple puppetmasters (running latest puppet server
AIO). So I have create a single puppet master acting as CA. I have no
problem with this.
But the problem I'm having is configuring another puppet master. This
one is configure to run its puppetserver but using the CA at the other, so:
* I have commented and uncommented the lines at
/etc/puppetlabs/puppetserver/bootstrap.cfg:
# To enable the CA service, leave the following line uncommented
#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
# To disable the CA service, comment out the above line and uncomment
the line below
puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
* In /etc/puppetlabs/puppet/puppet.conf I have configured:
ca_server = puppetca.mydomain.com
ca = false
server = puppetca.mydomain.com
With this configuration, when I run puppet agent for the first time in
this node, it creates the certificate request with no problem. Then I go
to puppetca and signed it and then I try a second puppet agent run, that
works without problem.
But if after a minute I try to run puppet agent again, I have the error:
root@mus32:/etc/puppetlabs/puppet# puppet agent --enable; puppet agent
-t; puppet agent --disable
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify
failed: [unable to get certificate CRL for /CN=puppetca.um.es]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate
additional resources using 'eval_generate': SSL_connect returned=1
errno=0 state=error: certificate verify failed: [unable to get
certificate CRL for /CN=puppetca.um.es]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate:
Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to
get certificate CRL for /CN=puppetca.um.es]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate
additional resources using 'eval_generate': SSL_connect returned=1
errno=0 state=error: certificate verify failed: [unable to get
certificate CRL for /CN=puppetca.um.es]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate:
Could not retrieve file metadata for puppet:///plugins: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to
get certificate CRL for /CN=puppetca.um.es]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to
get certificate CRL for /CN=puppetca.um.es]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0
state=error: certificate verify failed: [unable to get certificate CRL
for /CN=puppetca.um.es]
What I have found is that after the first puppet agent run,
/etc/puppetlabs/puppet/ssl/crl.pem file is the same at my puppetca
server, but then, after a moment, the file is changed and it seems to be
created with this node as issuer.
Any idea about why is this file changed? Could it be that puppetserver
was modifying it?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
I'm deploying multiple puppetmasters (running latest puppet server
AIO). So I have create a single puppet master acting as CA. I have no
problem with this.
But the problem I'm having is configuring another puppet master. This
one is configure to run its puppetserver but using the CA at the other, so:
* I have commented and uncommented the lines at
/etc/puppetlabs/puppetserver/bootstrap.cfg:
# To enable the CA service, leave the following line uncommented
#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
# To disable the CA service, comment out the above line and uncomment
the line below
puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
* In /etc/puppetlabs/puppet/puppet.conf I have configured:
ca_server = puppetca.mydomain.com
ca = false
server = puppetca.mydomain.com
With this configuration, when I run puppet agent for the first time in
this node, it creates the certificate request with no problem. Then I go
to puppetca and signed it and then I try a second puppet agent run, that
works without problem.
But if after a minute I try to run puppet agent again, I have the error:
root@mus32:/etc/puppetlabs/puppet# puppet agent --enable; puppet agent
-t; puppet agent --disable
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify
failed: [unable to get certificate CRL for /CN=puppetca.um.es]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate
additional resources using 'eval_generate': SSL_connect returned=1
errno=0 state=error: certificate verify failed: [unable to get
certificate CRL for /CN=puppetca.um.es]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate:
Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to
get certificate CRL for /CN=puppetca.um.es]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate
additional resources using 'eval_generate': SSL_connect returned=1
errno=0 state=error: certificate verify failed: [unable to get
certificate CRL for /CN=puppetca.um.es]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate:
Could not retrieve file metadata for puppet:///plugins: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to
get certificate CRL for /CN=puppetca.um.es]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to
get certificate CRL for /CN=puppetca.um.es]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0
state=error: certificate verify failed: [unable to get certificate CRL
for /CN=puppetca.um.es]
What I have found is that after the first puppet agent run,
/etc/puppetlabs/puppet/ssl/crl.pem file is the same at my puppetca
server, but then, after a moment, the file is changed and it seems to be
created with this node as issuer.
Any idea about why is this file changed? Could it be that puppetserver
was modifying it?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
Ryan Anderson
Apr 28, 2016, 8:19:44 AM4/28/16
to Puppet Users
I am pretty sure the issue is actually some configs needed on your non-CA master in its /etc/puppetlabs/puppetserver/conf.d/webserver.conf. See https://docs.puppet.com/puppetserver/2.2/external_ca_configuration.html for documentation on this. The added lines you likely need are these:
ssl-cert = /etc/puppetlabs/puppet/ssl/certs/$HOSTNAME.example.com.pem
ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/$HOSTNAME.example.com.pem
ssl-ca-cert = /etc/puppetlabs/puppet/ssl/certs/ca.pemReply all
Reply to author
Forward
0 new messages