Solaris SSL error

[chakkerz]

Hello there

I'm having some issues and i'm not entirely sure where they are
starting (I'm not generally a Solaris user). I gather that there are
some discussions about the error messages, but if someone could tell
me what rock to look under first i'd appreaciate it :)

My solaris puppet (puppetsun) is supposed to talk to my puppet beta
master (running rhel). I've done the puppetca --sign puppetsun... and
now when i run `puppet -vtd` i get:
debug: Creating default schedules
debug: Failed to load library 'ldap' for feature 'ldap'
debug: Failed to load library 'shadow' for feature 'libshadow'
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[main]/File
[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/certs/puppetsun.example.org.pem]: Autorequiring File
[/var/lib/puppet/ssl/certs]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[main]/File
[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/public_keys/puppetsun.example.org.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/
ssl]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[puppetd]/
File[/etc/opt/csw/puppet/puppet.conf]: Autorequiring File[/etc/opt/csw/
puppet]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/private_keys/puppetsun.example.org.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/csr_puppetsun.example.org.pem]: Autorequiring File[/
var/lib/puppet/ssl]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/
ssl/certs]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[main]/File
[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc//opt/csw/puppet/puppet.conf]/Settings[ssl]/File[/
var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/
ssl]
debug: Finishing transaction 69307580 with 0 changes
debug: Puppet::Network::Client::File: defining fileserver.describe
debug: Puppet::Network::Client::File: defining fileserver.list
debug: Puppet::Network::Client::File: defining fileserver.retrieve
info: Retrieving plugins
debug: Calling fileserver.list
warning: Certificate validation failed; consider using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources during transaction: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
debug: /File[/var/lib/puppet/lib]/checksum: Initializing checksum hash
debug: /File[/var/lib/puppet/lib]: Creating checksum {mtime}Sun Dec 28
10:53:11 +1000 1986
debug: Calling fileserver.describe
warning: Certificate validation failed; consider using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: Certificates were not trusted: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify
failed Could not describe /plugins: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
debug: Finishing transaction 74984300 with 0 changes
err: Could not retrieve catalog: private method `chomp' called for
nil:NilClass

I gather the certs aren't trusted. and what is the certname
configuration option... i ran a search on the puppet site and got
bupkis that looked relevant (but i might be blind)...

Cheers
chakkerz

[Andrew Shafer]

I believe that means the cert on the master and the client weren't signed by the same CA.

[chakkerz]

But that doesn't make sense ...

So what you're saying that the Solaris host (all the RedHat ones are
working), will need to have their cert's generated on a RedHat box,
and then transferred to the solaris host?

But even then the architecture doesn't make sense, because i'm using a
self signed cert - generated automatically when puppet does its thing.
I interpreted the certs as being used for identification, or rather
authentication. So what does the CA have to do with it? Further why am
i getting the error AFTER i've had the master accept it by puppetca --
sign <whatever>? shouldn't the error of different CA's occur then,
rather than after it has been accepted by the master, when the slave
tries to get updates?

I'll do some digging and see if i can find a guide that tells me
more...

Cheers though
chakkerz

[chakkerz]

Ok, i've re-read http://reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity
and some things fell into place (though it still doesn't work :) )

So the CA here is my host puppetbeta which is the master. On it i
signed the cert that the puppetsun generated when i ran `puppetd --
test` , using `puppetca --sign puppetsun... ` and when i run `puppetca
--list --all` it's happily there.

Just to be sure though, (going on my former interpretation of 'signed'
as 'created') i did the `puppetca --generate puppetsun` and then
copied
root@puppetsun:/var/lib/puppet/ssl# find ./
./
./private_keys
./private_keys/puppetsun.its.uq.edu.au.pem
./certs
./certs/ca.pem
./certs/puppetsun.its.uq.edu.au.pem

^ these. Upon running puppetd -vt i get:
root@puppetsun:/var/lib/puppet# /opt/csw/bin/puppetd -vt
info: Retrieving plugins

warning: Certificate validation failed; consider using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources during transaction: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed

warning: Certificate validation failed; consider using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: Certificates were not trusted: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify
failed Could not describe /plugins: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed

err: Could not retrieve catalog: private method `chomp' called for
nil:NilClass

which remains the exact same error.

The two versions i'm running are:
Master:
[root@puppetbeta ssl]# puppet --version
0.24.7

Slave:
root@puppetsun:/opt/csw/bin# ./puppet --version
0.24.7

What's the certname option it talks about?

cheers
chakkerz

[Ohad Levy]

If you used the Solaris blastwave packages, it might be that your certs are in  a different directory... check your puppet configs for where your ssl dir is (could be /etc/puppet/ssl, /var/lib/puppet/ssl, /opt/csw/etc/puppet/ssl .....)

Cheers,
Ohad

[chakkerz]

Valid point, unfortunately, i configured this:
root@puppetsun:/opt/csw/bin# cat /opt/csw/etc/puppet/puppet.conf
[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
pluginsync = true
factpath = $vardir/lib/facter
modulepath = $vardir/lib/modules

[puppetd]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppetbeta.its.uq.edu.au
root@puppetsun:/opt/csw/bin# diff !$ /etc/puppet/puppet.conf
diff /opt/csw/etc/puppet/puppet.conf /etc/puppet/puppet.conf
root@puppetsun:/opt/csw/bin#

Thanks for the thought though :)
chakkerz

[Ohad Levy]

another issue i had on solaris that it wasnt using the right config file .... end up using --config /etc/puppet/puppet.conf

[chakkerz]

Hello again

--config makes no difference. Same error persists.

Cheers
chakkerz

[chakkerz]

following the advise on the IRC channel i downgraded ruby to 1.8.6
root@puppetsun:/opt/csw/bin# ./ruby -v
ruby 1.8.6 (2007-09-23 patchlevel 110) [i386-solaris2.8]

i now get a new error:
root@puppetsun:/opt/csw/bin# rm -rf /var/lib/puppet/
root@puppetsun:/opt/csw/bin# /opt/csw/bin/puppetd --test
info: Creating a new certificate request for puppetsun.example.org
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
puppetsun.example.org.pem
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
notice: Set to run 'one time'; exiting with no certificate
root@puppetsun:/opt/csw/bin# /opt/csw/bin/puppetd -vt
warning: peer certificate won't be verified in this SSL session
notice: Got signed certificate

info: Retrieving plugins
warning: Certificate validation failed; consider using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources during transaction: Certificates were not trusted:

certificate verify failed
warning: Certificate validation failed; consider using the certname
configuration option
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of

resource: Certificates were not trusted: certificate verify failed

Could not describe /plugins: Certificates were not trusted:

certificate verify failed
err: Could not retrieve catalog: private method `chomp' called for
nil:NilClass

This is after clearing /var/lib/puppet , restarting the daemon and re-
signing the cert.

the server has:
[root@puppetbeta /]# puppetca --list --all
+ puppetsun.its.uq.edu.au
+ puppetbeta.its.uq.edu.au

Cheers, and thanks for all the help on the channel, Damm, Andrew and
fujin in particular.

chakkerz

[Rob Chanter]

On Wed, Feb 11, 2009 at 5:12 PM, chakkerz <chak...@gmail.com> wrote:
> This is after clearing /var/lib/puppet , restarting the daemon and re-
> signing the cert.
>
> the server has:
> [root@puppetbeta /]# puppetca --list --all
> + puppetsun.its.uq.edu.au
> + puppetbeta.its.uq.edu.au
>

I had some similar trouble on solaris, which I eventually worked
around by manually copying the CA cert to the client and doing
master-side certificate generation. In our case, it isn't a problem to
include the CA cert in the client build.

cheers
rob

[chakkerz]

OK, new error. Regardless of which ruby i use, i get the following if
i do a puppetca --generate puppetsun... and then transfer the files.
(also this doesn't seem to care too much about permissions, but the
last time i did it, i was very careful to replicate the permissions
from the master).

root@puppetsun:/var/lib/puppet# /opt/csw/bin/puppetd -vt/opt/csw/lib/
ruby/site_ruby/1.8/puppet/network/http_pool.rb:50:in `add_file':
system lib (OpenSSL::X509::StoreError)
from /opt/csw/lib/ruby/site_ruby/1.8/puppet/network/
http_pool.rb:50:in `cert_setup'
from /opt/csw/lib/ruby/site_ruby/1.8/puppet/network/
http_pool.rb:101:in `http_instance'
from /opt/csw/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/
client.rb:130:in `initialize'
from /opt/csw/lib/ruby/site_ruby/1.8/puppet/network/client.rb:
94:in `new'
from /opt/csw/lib/ruby/site_ruby/1.8/puppet/network/client.rb:
94:in `initialize'
from /opt/csw/lib/ruby/site_ruby/1.8/puppet/network/client/
master.rb:198:in `initialize'
from /opt/csw/bin/puppetd:328:in `new'
from /opt/csw/bin/puppetd:328

The line in question reads:
store.add_file Puppet[:localcacert]

Alas this means very little to me...

Cheers
chakkerz

[chakkerz]

i've copied the ca.pem from the master to the client. Now i'm back to
the familar:

root@puppetsun:/var/lib/puppet/ssl# /opt/csw/bin/puppetd -vt

[AJ Christensen]

Is there any particular reason you're copying the certificates and
whatnot by hand instead of using the built in mechanisms?

Regards,

AJ

[chakkerz]

Yeah ...the built in mechanism fails worse

[Ohad Levy]

well.. it shouldnt...

just another stupid question, your clocks are in sync right?

[chakkerz]

Ohad ... no they weren't. It still isn't working but it looks like the
SSL thing is sorted.

Thanks everyone for their help.

chakkerz