Puppetmaster generated Certificate with "old" CA domainname
368 views
Skip to first unread message
yamaka...@gmail.com
Nov 19, 2013, 6:48:18 PM11/19/13
to puppet...@googlegroups.com
Hi All,
I'm facing a very strange problem.
Because I had some mismatching with new agents I decided to remove all my cerst and start over. This all goes well, I can sign new agent-certs but after that when I run an agent test I get some strange error:
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] Could not retrieve file metadata for puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local]
In the past I changed my Foreman installt from OLD.domain.local to domain.local as I don't needed a subdomain anymore. I changed all kinds of things that were needed in Foreman and Puppet and regenerated the certs. Everything seemed to go well, unless now.
I have grep -iR 'OLD.domain' . on all kinds of folders, /etc and /var/lib/puppet and I don't see any strange things, only old logs. Only in /usr/lib/jvm/ I see some java cert stuff where the name might be in, but that's just that.
What can I do to solve this as I'm really lost why and how this evening.
I hope someone can help out.
Thanks!
Matt
I'm facing a very strange problem.
Because I had some mismatching with new agents I decided to remove all my cerst and start over. This all goes well, I can sign new agent-certs but after that when I run an agent test I get some strange error:
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] Could not retrieve file metadata for puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local]
In the past I changed my Foreman installt from OLD.domain.local to domain.local as I don't needed a subdomain anymore. I changed all kinds of things that were needed in Foreman and Puppet and regenerated the certs. Everything seemed to go well, unless now.
I have grep -iR 'OLD.domain' . on all kinds of folders, /etc and /var/lib/puppet and I don't see any strange things, only old logs. Only in /usr/lib/jvm/ I see some java cert stuff where the name might be in, but that's just that.
What can I do to solve this as I'm really lost why and how this evening.
I hope someone can help out.
Thanks!
Matt
Mark Walkom
Nov 19, 2013, 6:49:31 PM11/19/13
to puppet...@googlegroups.com
Did you clean the agent cert store out as well?
I've run into similar and that's sorted the issue.
Regards,
Mark Walkom
Infrastructure Engineer
Campaign Monitor
email: ma...@campaignmonitor.com
web: www.campaignmonitor.com
Mark Walkom
Infrastructure Engineer
Campaign Monitor
email: ma...@campaignmonitor.com
web: www.campaignmonitor.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
yamaka...@gmail.com
Nov 19, 2013, 7:54:09 PM11/19/13
to puppet...@googlegroups.com
Hi Mark,
Yes I removed /var/lib/puppet/ssl on the agent.
At the moment I get an: Error: Could not request certificate: Connection timed out - connect(2)
But what I see on the master when running the agent on a client:
tcp 0 0 10.0.0.250:8140 dhcp-01.domain...:46779 SYN_RECV
And that takes a long time and the connection timeout happens.
Matt
Op woensdag 20 november 2013 00:49:31 UTC+1 schreef Mark Walkom:
Yes I removed /var/lib/puppet/ssl on the agent.
At the moment I get an: Error: Could not request certificate: Connection timed out - connect(2)
But what I see on the master when running the agent on a client:
tcp 0 0 10.0.0.250:8140 dhcp-01.domain...:46779 SYN_RECV
And that takes a long time and the connection timeout happens.
Matt
Op woensdag 20 november 2013 00:49:31 UTC+1 schreef Mark Walkom:
yamaka...@gmail.com
Nov 19, 2013, 8:03:20 PM11/19/13
to puppet...@googlegroups.com
I have to say, both hosts are in /etc/hosts to be sure it's not a DNS issue.
Op woensdag 20 november 2013 01:54:09 UTC+1 schreef yamaka...@gmail.com:
Op woensdag 20 november 2013 01:54:09 UTC+1 schreef yamaka...@gmail.com:
Felix Frank
Nov 21, 2013, 5:15:48 AM11/21/13
to puppet...@googlegroups.com
Hi,
humm, the TCP handshake fails...?
Is there firewalling on master and/or agent side?
Are you using passenger by the way?
Cheers,
Felix
humm, the TCP handshake fails...?
Is there firewalling on master and/or agent side?
Are you using passenger by the way?
Cheers,
Felix
Reply all
Reply to author
Forward
0 new messages