Certificate problems
Andthepharaohs
Hi all - my head hurts! ;-)
I am getting this error on my agent host:
err:
/Stage[main]/Testfiles/File[/tmp/test1]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e
failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not
match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com
This is the hosts
file entry on the agent:
10.6.176.21
ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet
I did have
certificates for the master (ncqd-isghub01) but following instructions provided
by others for addressing them, I removed them:
[root@ncqd-isghub01
ssl]# puppet cert clean ncqd-isghub01.nott.ime.reuters.com
Notice: Revoked certificate with serial 5
Notice: Removing file Puppet::SSL::Certificate ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem'
Notice: Removing file Puppet::SSL::Certificate ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem'
Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem'
[root@ncqd-isghub01 ssl]#
At this point I realised that on the master host I had the wrong IP
address for itself (it had recently been relocated), so I corrected that and
for safety's sake cleaned out /var/lib/puppet/ssl. I then did the
following:
Master as agent:
[root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for ncqd-isghub01.nott.ime.reuters.com
Info: Certificate Request fingerprint (SHA256): BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D
Master as master:
[root@ncqd-isghub01 ssl]# puppet cert list
"ncqd-isghub01.nott.ime.reuters.com" (SHA256) BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D
[root@ncqd-isghub01 ssl]# puppet cert sign ncqd-isghub01.nott.ime.reuters.com
Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com
Notice: Removing file Puppet::SSL::CertificateRequest ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem'
[root@ncqd-isghub01 ssl]#
Master as agent:
Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com
Warning: Unable to fetch my node definition, but the agent run will continue:
[Not sure why this is reported –
it’s defined in /etc/puppet/manifest/nodes.pp and site.pp has import “nodes” , but it appears not to be relevant]
Warning: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:
[certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata for puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
[root@ncqd-isghub01 ssl]#
Now why would it be unable to
verify the certificate it’s just signed?
I then tried using my normal test
agent, expecting the certificate request to be generated anew, as I’d blitzed
it earlier:
Master as agent:
[root@ncqd-isghub01 ssl]# puppet cert list --all
+ "ncqd-isghub01.nott.ime.reuters.com" (SHA256) 1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD
[root@ncqd-isghub01 ssl]#
Normal agent:
[11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test
info: Retrieving plugin
info: Caching catalog for ntm-igdev02.nott.ime.reuters.com
info: Applying configuration version '1370523314'
notice: /Stage[main]/Testfiles/File[/tmp/test1]/content:
--- /tmp/test1 Tue Jun 4 10:38:59 2013
+++ /tmp/puppet-file20130606-25892-1g9ifbr-0 Thu Jun 6 14:18:34 2013
@@ -1,0 +1,1 @@
+this is file test1
err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com
notice: /Stage[main]/Testfiles/File[/tmp/test2]/content:
--- /tmp/test2 Tue Jun 4 10:38:59 2013
+++ /tmp/puppet-file20130606-25892-1xfiqif-0 Thu Jun 6 14:18:37 2013
@@ -1,0 +1,1 @@
+this is file test2
err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com
notice: Finished catalog run in 6.33 seconds
[11674](root@ntm-igdev02)/etc/puppet:
So as far as the real agent is concerned , I’m back where I started and I don’t see why a new certificate request wasn’t generated – I still only have the one for the master. Also, why doesn’t the master recognise its own certificate?
Dan Hyatt
I understand there is a difference...
Certificate problems
On Client…
cd /etc/puppetlabs/puppet/ ssl
rm -rf ca certs public_keys certificate_requsts private_keys # make sure all files removed from SSL dir
puppet agent –t # this will run a few minutes the first time.
On server:
puppet cert clean server11.fqdn.com # against clients
puppet cert list
cd /etc/init.d/pe-httpd restart
puppet cert list
puppet cert sign –a # if you recognize all the servers in your cert list.
Nan Liu
Hi all - my head hurts! ;-)
I am getting this error on my agent host:
err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com
See http://docs.puppetlabs.com/pe/2.0/maint_common_config_errors.html#do-agents-trust-the-masters-certificate and follow "Are Agents Contacting the Master at a Valid DNS Name?".
Matthew Schmitt
My Hiera data -
s_storage::params::storage_partition:
1:
storage_vip: ''
num_shards: 1
storage_db: hsqlstor01
replagent_host: ''
replagent_metrics_port: ''
file_deleter_host: hfdel01
file_deleter_metrics_port: '6266'
instance_deleter_host: ''
instance_deleter_metrics_port: ''
stor_host:
- hstor00
- hstor01
2:
storage_vip: '0000'
num_shards: 64
storage_db: hdbstor114
replagent_host: hrepl02
replagent_metrics_port: '21009'
file_deleter_host: hfdel01
file_deleter_metrics_port: '6250'
instance_deleter_host: hidel01
instance_deleter_metrics_port: '6450'
stor_host: 'node01, node02'
My code -
define sugarsync_storage::partition (
$storage_vip,
$num_shards,
$storage_db,
$replagent_host,
$replagent_metrics_port,
$instance_deleter_host,
$instance_deleter_metrics_port,
$file_deleter_host,
$file_deleter_metrics_port,
$stor_host,
) {
tag('config')
$storage_partition = $sugarsync_storage::storage_partition
storhost_lookup {"${stor_host}":}
} # Class sugarsync_storage::partition
define storhost_lookup () {
file { "${app_dir}/${app_name}/etc/props/${hostname}-00.stor.props":
ensure => 'file',
content => template('sugarsync_storage/storage_instance.erb'),
owner => 'scserver',
group => 'scserver',
mode => '0755',
}
}
I get the following error when I execute the puppet run -
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: File[//etc/props/node01-00.stor.props] is already declared in file /etc/puppet/modules/sugarsync_storage/manifests/partition.pp at line 25; cannot redeclare on node node01.home.local
Error: Could not retrieve catalog; skipping run
Thanks for any assistance.
Matt
Sam Sexton
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/a8ueBCHsEZY/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
/Sam