Using Puppet with a self-signed ssl certificate
2,268 views
Skip to first unread message
Tom Albrecht
Mar 26, 2014, 5:55:16 PM3/26/14
to puppet...@googlegroups.com
The corporate environment I'm in is doing ssl decryption on their traffic, and therefore requires a corporate self-signed ssl certificate to be installed on any clients throughout the enterprise.
I have a puppet server (CentOS 6.5) with the cert installed, and the agent on the server will no longer connect to itself. I get the following error:
[root@foo certs]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...] Could not retrieve file metadata for puppet://taisrsvr01/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
The "..." is information on the self-signed cert. I've already been banging my head just trying to get the whole ssl cert stuff working, and it's very possible I screwed something up.
Any ideas?
I have a puppet server (CentOS 6.5) with the cert installed, and the agent on the server will no longer connect to itself. I get the following error:
[root@foo certs]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...] Could not retrieve file metadata for puppet://taisrsvr01/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for ...]
The "..." is information on the self-signed cert. I've already been banging my head just trying to get the whole ssl cert stuff working, and it's very possible I screwed something up.
Any ideas?
Felix Frank
Apr 16, 2014, 9:26:48 AM4/16/14
to puppet...@googlegroups.com
Actually, yeah. Can't you just used that corporate cert as your CA?
I think you would end up with this:
http://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#option-1-single-ca
HTH,
Felix
I think you would end up with this:
http://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#option-1-single-ca
HTH,
Felix
Reply all
Reply to author
Forward
0 new messages