Hi all - my head hurts! ;-)
I am getting this error on my agent host:
err:
/Stage[main]/Testfiles/File[/tmp/test1]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e
failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not
match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com
This is the hosts
file entry on the agent:
10.6.176.21
ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet
I did have
certificates for the master (ncqd-isghub01) but following instructions provided
by others for addressing them, I removed them:
[root@ncqd-isghub01
ssl]# puppet cert clean ncqd-isghub01.nott.ime.reuters.com
Notice: Revoked certificate with serial 5
Notice: Removing file Puppet::SSL::Certificate ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem'
Notice: Removing file Puppet::SSL::Certificate ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem'
Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem'
[root@ncqd-isghub01 ssl]#
At this point I realised that on the master host I had the wrong IP
address for itself (it had recently been relocated), so I corrected that and
for safety's sake cleaned out /var/lib/puppet/ssl. I then did the
following:
Master as agent:
[root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for ncqd-isghub01.nott.ime.reuters.com
Info: Certificate Request fingerprint (SHA256): BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D
Master as master:
[root@ncqd-isghub01 ssl]# puppet cert list
"ncqd-isghub01.nott.ime.reuters.com" (SHA256) BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D
[root@ncqd-isghub01 ssl]# puppet cert sign ncqd-isghub01.nott.ime.reuters.com
Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com
Notice: Removing file Puppet::SSL::CertificateRequest ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem'
[root@ncqd-isghub01 ssl]#
Master as agent:
Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com
Warning: Unable to fetch my node definition, but the agent run will continue:
[Not sure why this is reported –
it’s defined in /etc/puppet/manifest/nodes.pp and site.pp has import “nodes” , but it appears not to be relevant]
Warning: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:
[certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata for puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
[root@ncqd-isghub01 ssl]#
Now why would it be unable to
verify the certificate it’s just signed?
I then tried using my normal test
agent, expecting the certificate request to be generated anew, as I’d blitzed
it earlier:
Master as agent:
[root@ncqd-isghub01 ssl]# puppet cert list --all
+ "ncqd-isghub01.nott.ime.reuters.com" (SHA256) 1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD
[root@ncqd-isghub01 ssl]#
Normal agent:
[11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test
info: Retrieving plugin
info: Caching catalog for ntm-igdev02.nott.ime.reuters.com
info: Applying configuration version '1370523314'
notice: /Stage[main]/Testfiles/File[/tmp/test1]/content:
--- /tmp/test1 Tue Jun 4 10:38:59 2013
+++ /tmp/puppet-file20130606-25892-1g9ifbr-0 Thu Jun 6 14:18:34 2013
@@ -1,0 +1,1 @@
+this is file test1
err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com
notice: /Stage[main]/Testfiles/File[/tmp/test2]/content:
--- /tmp/test2 Tue Jun 4 10:38:59 2013
+++ /tmp/puppet-file20130606-25892-1xfiqif-0 Thu Jun 6 14:18:37 2013
@@ -1,0 +1,1 @@
+this is file test2
err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com
notice: Finished catalog run in 6.33 seconds
[11674](root@ntm-igdev02)/etc/puppet:
So as far as the real agent is concerned , I’m back where I started and I don’t see why a new certificate request wasn’t generated – I still only have the one for the master. Also, why doesn’t the master recognise its own certificate?
Certificate problems
On Client…
cd /etc/puppetlabs/puppet/ ssl
rm -rf ca certs public_keys certificate_requsts private_keys # make sure all files removed from SSL dir
puppet agent –t # this will run a few minutes the first time.
On server:
puppet cert clean server11.fqdn.com # against clients
puppet cert list
cd /etc/init.d/pe-httpd restart
puppet cert list
puppet cert sign –a # if you recognize all the servers in your cert list.
Hi all - my head hurts! ;-)
I am getting this error on my agent host:
err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/a8ueBCHsEZY/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.