Certificate problems

1031 views
Skip to first unread message

Andthepharaohs

unread,
Jun 6, 2013, 10:52:26 AM6/6/13
to puppet...@googlegroups.com

Hi all - my head hurts! ;-)

I am getting this error on my agent host:

err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com

This is the hosts file entry on the agent:

10.6.176.21     ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet

I did have certificates for the master (ncqd-isghub01) but following instructions provided by others for addressing them, I removed them:

[root@ncqd-isghub01 ssl]# puppet cert clean ncqd-isghub01.nott.ime.reuters.com

Notice: Revoked certificate with serial 5

Notice: Removing file Puppet::SSL::Certificate ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem'

Notice: Removing file Puppet::SSL::Certificate ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem'

Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem'

[root@ncqd-isghub01 ssl]# 

At this point I realised that on the master host I had the wrong IP address for itself (it had recently been relocated), so I corrected that and for safety's sake cleaned out /var/lib/puppet/ssl. I then did the following:

Master as agent:

[root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test

Info: Caching certificate for ca

Info: Creating a new SSL certificate request for ncqd-isghub01.nott.ime.reuters.com

Info: Certificate Request fingerprint (SHA256): BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D

Master as master:

[root@ncqd-isghub01 ssl]# puppet cert list

  "ncqd-isghub01.nott.ime.reuters.com" (SHA256) BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D

[root@ncqd-isghub01 ssl]# puppet cert sign ncqd-isghub01.nott.ime.reuters.com

Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com

Notice: Removing file Puppet::SSL::CertificateRequest ncqd-isghub01.nott.ime.reuters.com at '/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem'

[root@ncqd-isghub01 ssl]#

Master as agent:

Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com

Warning: Unable to fetch my node definition, but the agent run will continue:

[Not sure why this is reported – it’s defined in /etc/puppet/manifest/nodes.pp and site.pp has   import “nodes”   , but it appears not to be relevant]

Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

Info: Retrieving plugin

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata for puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

[root@ncqd-isghub01 ssl]#

Now why would it be unable to verify the certificate it’s just signed?

I then tried using my normal test agent, expecting the certificate request to be generated anew, as I’d blitzed it earlier:

Master as agent:

[root@ncqd-isghub01 ssl]# puppet cert list --all

+ "ncqd-isghub01.nott.ime.reuters.com" (SHA256) 1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD

[root@ncqd-isghub01 ssl]#

Normal agent:

[11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test

info: Retrieving plugin

info: Caching catalog for ntm-igdev02.nott.ime.reuters.com

info: Applying configuration version '1370523314'

notice: /Stage[main]/Testfiles/File[/tmp/test1]/content:

--- /tmp/test1  Tue Jun  4 10:38:59 2013

+++ /tmp/puppet-file20130606-25892-1g9ifbr-0    Thu Jun  6 14:18:34 2013

@@ -1,0 +1,1 @@

+this is file test1

err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com

notice: /Stage[main]/Testfiles/File[/tmp/test2]/content:

--- /tmp/test2  Tue Jun  4 10:38:59 2013

+++ /tmp/puppet-file20130606-25892-1xfiqif-0    Thu Jun  6 14:18:37 2013

@@ -1,0 +1,1 @@

+this is file test2

 err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com

notice: Finished catalog run in 6.33 seconds

[11674](root@ntm-igdev02)/etc/puppet:

 So as far as the real agent is concerned , I’m back where I started and I don’t see why a new certificate request wasn’t generated – I still only have the one for the master. Also, why doesn’t the master recognise its own certificate?

Dan Hyatt

unread,
Jun 6, 2013, 11:16:25 AM6/6/13
to puppet...@googlegroups.com
First off are you running open source puppet or puppetlabs. 
I understand there is a difference...
and most instructions do not include restarting the pe-http daemon so you have stale data in there..


This is what I did 

Certificate problems

On Client…

 cd /etc/puppetlabs/puppet/ ssl

   rm -rf ca certs public_keys certificate_requsts private_keys  # make sure all files removed from SSL dir

 puppet agent –t  # this will run a few minutes the first time.

 

On server:
 puppet cert clean server11.fqdn.com      # against clients

   puppet cert list 

   cd /etc/init.d/pe-httpd restart

   puppet cert list

   puppet cert sign –a   # if you recognize all the servers in your cert list.

Nan Liu

unread,
Jun 6, 2013, 12:50:51 PM6/6/13
to puppet...@googlegroups.com
On Thu, Jun 6, 2013 at 7:52 AM, Andthepharaohs <puhe...@gmail.com> wrote:

Hi all - my head hurts! ;-)

I am getting this error on my agent host:

err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from {md5}d41d8cd98f00b204e9800998ecf8427e to {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: Server hostname 'ncqd-isghub01' did not match server certificate; expected one of ncqd-isghub01.nott.ime.reuters.com, DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:puppet.nott.ime.reuters.com


You are connecting to the master using the option --server 'ncqd-isghub01', but did not list that in the dns_alt_names option when you generated the master cert.

See http://docs.puppetlabs.com/pe/2.0/maint_common_config_errors.html#do-agents-trust-the-masters-certificate and follow "Are Agents Contacting the Master at a Valid DNS Name?".

Nan

Matthew Schmitt

unread,
Jun 6, 2013, 1:19:20 PM6/6/13
to puppet...@googlegroups.com
I'm trying to create config files from an array of hostnames, specifically from the param 'stor_host' -

My Hiera data -

s_storage::params::storage_partition:
1:
storage_vip: ''
num_shards: 1
storage_db: hsqlstor01
replagent_host: ''
replagent_metrics_port: ''
file_deleter_host: hfdel01
file_deleter_metrics_port: '6266'
instance_deleter_host: ''
instance_deleter_metrics_port: ''
stor_host:
- hstor00
- hstor01
2:
storage_vip: '0000'
num_shards: 64
storage_db: hdbstor114
replagent_host: hrepl02
replagent_metrics_port: '21009'
file_deleter_host: hfdel01
file_deleter_metrics_port: '6250'
instance_deleter_host: hidel01
instance_deleter_metrics_port: '6450'
stor_host: 'node01, node02'

My code -

define sugarsync_storage::partition (
$storage_vip,
$num_shards,
$storage_db,
$replagent_host,
$replagent_metrics_port,
$instance_deleter_host,
$instance_deleter_metrics_port,
$file_deleter_host,
$file_deleter_metrics_port,
$stor_host,
) {
tag('config')
$storage_partition = $sugarsync_storage::storage_partition
storhost_lookup {"${stor_host}":}
} # Class sugarsync_storage::partition

define storhost_lookup () {
file { "${app_dir}/${app_name}/etc/props/${hostname}-00.stor.props":
ensure => 'file',
content => template('sugarsync_storage/storage_instance.erb'),
owner => 'scserver',
group => 'scserver',
mode => '0755',
}
}

I get the following error when I execute the puppet run -

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: File[//etc/props/node01-00.stor.props] is already declared in file /etc/puppet/modules/sugarsync_storage/manifests/partition.pp at line 25; cannot redeclare on node node01.home.local
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

I'm stuck figuring out where the duplicate is coming from.

Thanks for any assistance.

Matt

Sam Sexton

unread,
Jun 6, 2013, 2:45:12 PM6/6/13
to puppet...@googlegroups.com
Many thanks, Nan - I'll try that in the morning.

Regards, Sam


--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/a8ueBCHsEZY/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
/Sam

Andthepharaohs

unread,
Jun 7, 2013, 7:10:56 AM6/7/13
to puppet...@googlegroups.com
Thanks Dan (I'm running puppet) and Nan - I regenerated the certificate, but still had problems - removing the ssl directory was not a good idea! I've decided to reinstall from scratch, as I can then ensure a clean system and document the details. I will close this when I have it up and running, but it may be a while as I'm being diverted to other work and am holiday soon.

Thanks for your prompt help!
Reply all
Reply to author
Forward
0 new messages