Open source Signing Puppet master & Agent cerificates

174 views
Skip to first unread message

roopchand yanamadala

unread,
Jan 4, 2015, 8:44:05 PM1/4/15
to puppet...@googlegroups.com
Hi,

I am following the below procedure.


Mater

#apt-get install puppet puppetmaster facter


Client side

#apt-get install puppet

Both servers

Vi /etc/hosts
update master and agent ip address and host name 

ping master from agent and vice-versa

Make sure puppet master and puppet running


Client side :

vi /etc/puppet/puppet.conf
[main]
server=<puppet-master>

--------------------

#puppet agent --server puppet-master --waitforcert 60 --test


Server :

#puppet cert --list

#puppet cert --sign puppet-client



i am getting the followig errors :

ot@puppet-client:/etc/puppet# puppet agent --server puppet-master.xxx.com --waitforcert 60 --test
Info: Creating a new SSL key for puppet-client.xxx.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet-client.xxx.com
Info: Certificate Request fingerprint (SHA256): 13:AB:81:61:4A:31:5A:02:B5:A2:E1:75:F4:82:07:D7:E6:66:EE:F4:FF:02:F9:D1:D5:C2:B9:29:EB:D5:A3:A0
Info: Caching certificate for ca
Notice: Did not receive certificate
Notice: Did not receive certificate
Info: Caching certificate for puppet-client.xxx.com
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local] Could not retrieve file metadata for puppet://puppet-master.xxx.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]

jcbollinger

unread,
Jan 5, 2015, 11:11:43 AM1/5/15
to puppet...@googlegroups.com


On Sunday, January 4, 2015 7:44:05 PM UTC-6, roopchand yanamadala wrote:

[...]

 
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local] Could not retrieve file metadata for puppet://puppet-master.xxx.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-master.xxx.local]


By default, the master's CA identifies itself via a self-signed certificate, but your client seems to object to that. Since that is not the usual result, I have to guess that the client has been configured to refuse self-signed certificates by default (this would be in your system's SSL configuration, not in Puppet's own configuration).  In that case, your options would be:
  1. Configure your SSL library to accept self-signed certificates (at least the Puppet CA's), or
  2. Obtain and install on the master a CA certificate whose certificate chain traces back to an authority the client trusts.
I'm afraid I have no personal experience with the details of either.


John

Reply all
Reply to author
Forward
0 new messages