Re: Thu Nov 29 10:17:51 +0000 2012 Puppet (err): Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for XXX to PuppetDB at puppetdb.aus-tx.colo:8081: SSL_connect SYSCALL returne

[Felipe Salum]

I had the same setup issue.

Go to your CA server and copy the puppet master unique certname .pem  from /var/lib/puppet/ssl/{certs,private_key/ to both your puppet master workers and restart apache.

Also make sure to follow this: http://docs.puppetlabs.com/guides/scaling_multiple_masters.html

The dns_alt_names part is very important:

 $ sudo puppet agent --test --dns_alt_names "master2.example.com,puppet,puppet.example.com"

I hope it helps, I spent a few hours until I got it figured out :)

Regards,
Felipe

On Thursday, November 29, 2012 3:31:59 AM UTC-8, Kalyana sundaram wrote:

I have set up two puppet masters (load balanced) with a separate ca server(ca is set false on masters). I brought up a new server for puppetDB. It got certs signed from ca_server and ran puppet agent without any issue. But when I started puppetdb and changed puppet master's conf to use puppetdb(as per docs for puppetdb). This error started to come and basically stopped puppet run

 

Thu Nov 29 10:17:51 +0000 2012 Puppet (err): Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for XXX to PuppetDB at puppetdb.aus-tx.colo:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

The puppetdb log throws

  

   [qtp665563146-341] [io.nio] javax.net.ssl.SSLHandshakeException: null cert chain

I tested a https curl using command

 curl -H "Accept: application/json" 'https://puppetdb:8081/facts' --cacert /var/lib/puppet/ssl/certs/ca.pem --cert /var/lib/puppet/ssl/certs/puppetmaster.pem --key /var/lib/puppet/ssl/private_keys/puppetmaster.pem 

  

The curl didnt throw any error

I am struck here for a long time. Pls do share your expertise

[Kalyana sundaram]

Thanks Felipe

Syncing certs privatekeys with ca_server worked

But could somebody help me understand why each masters should have ca server's private key?

How exactly this authentication process works?

[Felipe Salum]

I'm not sure if I'm correct but what I understood after spending a few hours on it:

Let's suppose you have:

certname: puppet.example.com

puppet_ca.example.com
puppet_worker1.example.com
puppet_worker2.example.com
puppetdb1.example.com

Your PuppetDB registered with your CA using the certname puppet.example.com, but your puppet workers only have their own certnames (puppet_worker1.example.com and puppet_worker2.example.com). When they talk with PuppetDB to fetch/replace the facts, PuppetDB doesn't accept their certificates because it was registered to the certname puppet.example.com.

Copying the puppet.example.com certificate from CA to the workers make them to use it when responding to a puppet run under that certname.

Felipe

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dleFJ_6wh-EJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Kalyana sundaram]

If Iam right, puppet usually sends certs with its name $ssldir/certs/<node>.pem and uses private key $ssldir/private_keys/<node>.pem But now how it uses $ssldir/certs/ca.pem and correctly uses private key $ssldir/private_keys/<ca_server>.pem ?

And Am I right that puppetdb requires ca.pem signed by private key of ca during fetch/replace request?