First time puppet agent setup on FreeBSD -- SSL_connect error when requesting certificate.
857 views
Skip to first unread message
Stefan Lasiewski
Aug 21, 2013, 8:23:46 PM8/21/13
to puppet...@googlegroups.com
I am at Puppetconf today. I just set up a new VM running a brand new version of FreeBSD 9.2 . I created my Puppetmaster during a Puppet course today, using a VM from puppetlabs.com .
When I attempt to acquire a certificate from the Puppetmaster, I get a strange error. The agent & master can both ping each other, and their system clocks are within seconds of each other (but different timezones, which shouldn't matter).
The agent can ping and connect to the master, but the connection fails during the SSL connection. Any idea what is going on?
From the agent:
root@agent2:~ # date
Wed Aug 21 17:13:03 PDT 2013
root@agent2:~ # puppet --version
3.2.3
root@agent2:~ # ping puppetmaster
PING puppetmaster.puppetlabs.vm (172.16.68.129): 56 data bytes
64 bytes from 172.16.68.129: icmp_seq=0 ttl=64 time=0.297 ms
...
root@agent2:~ # puppet agent --test
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Exiting; failed to retrieve certificate and waitforcert is disabled
And looking from the Puppet master side:
[root@puppetmaster ~]# date
Thu Aug 22 00:13:01 UTC 2013
[root@stefan ~]# puppet --version
3.2.2 (Puppet Enterprise 3.0.0)
[root@puppetmaster ~]# ping agent2
PING agent2.puppetlabs.vm (172.16.68.131) 56(84) bytes of data.
64 bytes from agent2.puppetlabs.vm (172.16.68.131): icmp_seq=1 ttl=64 time=1.84 ms
I have a third, brand new VM running CentOS 6.4, and it was able to request a certificate without any problems.
-= Stefan
When I attempt to acquire a certificate from the Puppetmaster, I get a strange error. The agent & master can both ping each other, and their system clocks are within seconds of each other (but different timezones, which shouldn't matter).
The agent can ping and connect to the master, but the connection fails during the SSL connection. Any idea what is going on?
From the agent:
root@agent2:~ # date
Wed Aug 21 17:13:03 PDT 2013
root@agent2:~ # puppet --version
3.2.3
root@agent2:~ # ping puppetmaster
PING puppetmaster.puppetlabs.vm (172.16.68.129): 56 data bytes
64 bytes from 172.16.68.129: icmp_seq=0 ttl=64 time=0.297 ms
...
root@agent2:~ # puppet agent --test
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Exiting; failed to retrieve certificate and waitforcert is disabled
And looking from the Puppet master side:
[root@puppetmaster ~]# date
Thu Aug 22 00:13:01 UTC 2013
[root@stefan ~]# puppet --version
3.2.2 (Puppet Enterprise 3.0.0)
[root@puppetmaster ~]# ping agent2
PING agent2.puppetlabs.vm (172.16.68.131) 56(84) bytes of data.
64 bytes from agent2.puppetlabs.vm (172.16.68.131): icmp_seq=1 ttl=64 time=1.84 ms
I have a third, brand new VM running CentOS 6.4, and it was able to request a certificate without any problems.
-= Stefan
Peter Bukowinski
Aug 21, 2013, 8:35:33 PM8/21/13
to puppet...@googlegroups.com, puppet...@googlegroups.com
Stefan,
If you do not have cert auto-signing enabled, the first time an agent connects to the master, you should use the -w option, e.g.:
puppet agent -t -w 30
This will tell the agent to wait for the master (you) to sign the cert request. Once that's done, the rest of the puppet run should kick off.
(I'm at PuppetConf, too.)
-- Peter (from phone)
-- Peter (from phone)
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
Stefan Lasiewski
Aug 22, 2013, 12:42:19 AM8/22/13
to puppet...@googlegroups.com
Great! I remember glancing at your nametag (A fellow -ski!)
Thanks for the pointer. However, it still isn't working.
root@agent2:~ # puppet agent --test --waitforcert 30
Thanks for the pointer. However, it still isn't working.
root@agent2:~ # puppet agent --test --waitforcert 30
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null)
Ah! I figured this out. So, my Puppet Enterprise instance had two names (puppetmaster and another name). This arcane error simply happened because my agent was connecting to the server with one name, and the server presented a certificate with a different name. Perhaps this was with a problem with another certificate in the certificate chain. Simple problem, but the error was not at all clear, and was unlike any openssl error that I've run into in the past.
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/I5SjQnn8sPo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages