Problem with my puppet agent 7.27 on a Windows client
75 views
Skip to first unread message
puppetstan
Dec 15, 2023, 12:18:54 PM12/15/23
to Puppet Users
Hi,
I have a problem with my puppet agent on a Windows client
I installed the puppet agent on my windows client.
I downloaded it here : https://downloads.puppetlabs.com/windows/puppet7/index.html
I took the following version : puppet-agent-x64-latest.msi
here is the installed version
C:\Users\Administrateur>puppet -V
7.27.0
My puppet file (puppet.conf) is in this directory C:\ProgramData\PuppetLabs\puppet\etc
[main]
server=puppet.domain.fr
autoflush=true
environment=production
when I force the puppet agent I get the following error
C:\Users\Administrateur>puppet agent -t
Error: certificate verify failed [unable to get issuer certificate for CN=Puppet CA: puppet.domain.fr]
Error: certificate verify failed [unable to get issuer certificate for CN=Puppet CA: puppet.domain.fr]
Do you have an idea of the problem?
I have a problem with my puppet agent on a Windows client
I installed the puppet agent on my windows client.
I downloaded it here : https://downloads.puppetlabs.com/windows/puppet7/index.html
I took the following version : puppet-agent-x64-latest.msi
here is the installed version
C:\Users\Administrateur>puppet -V
7.27.0
My puppet file (puppet.conf) is in this directory C:\ProgramData\PuppetLabs\puppet\etc
[main]
server=puppet.domain.fr
autoflush=true
environment=production
when I force the puppet agent I get the following error
C:\Users\Administrateur>puppet agent -t
Error: certificate verify failed [unable to get issuer certificate for CN=Puppet CA: puppet.domain.fr]
Error: certificate verify failed [unable to get issuer certificate for CN=Puppet CA: puppet.domain.fr]
Do you have an idea of the problem?
Regards
puppetstan
Apr 18, 2025, 11:23:24 AMApr 18
to Puppet Users
Hello,
I've made some progress on this. The client server (test-server.domain.fr) is successfully registered on the Puppet master server.
# puppetserver ca list -a | grep serveur-test.domain.fr
serveur-test.domain.fr (SHA256) 9A:98:B4:54:16:8C:32:C4:24:4E:78:39:05:32:1B:08:AF:B2:D1:73:96:3E:25:43:05:5E:EC:FA:08:12:3D:B4 alt names: ["DNS:serveur-test.domain.fr"]
2 - Then when I restart the puppet agent t, i have a certificate error that I don't understand
C:\Users\Administrateur>puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Info: Retrieving pluginfacts
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Info: Retrieving plugin
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
I've made some progress on this. The client server (test-server.domain.fr) is successfully registered on the Puppet master server.
1 - On the Puppet master server (puppet.domain.fr) :
serveur-test.domain.fr (SHA256) 9A:98:B4:54:16:8C:32:C4:24:4E:78:39:05:32:1B:08:AF:B2:D1:73:96:3E:25:43:05:5E:EC:FA:08:12:3D:B4 alt names: ["DNS:serveur-test.domain.fr"]
2 - Then when I restart the puppet agent t, i have a certificate error that I don't understand
C:\Users\Administrateur>puppet agent -t
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Info: Retrieving pluginfacts
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Info: Retrieving plugin
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Do you have any idea?
Regards
Stan
Dirk Heinrichs
Apr 22, 2025, 1:50:29 AMApr 22
to puppet...@googlegroups.com
Am Freitag, dem 18.04.2025 um 08:23 -0700 schrieb puppetstan:
I've made some progress on this. The client server (test-server.domain.fr) is successfully registered on the Puppet master server.
1 - On the Puppet master server (puppet.domain.fr) :
# puppetserver ca list -a | grep serveur-test.domain.frserveur-test.domain.fr (SHA256) 9A:98:B4:54:16:8C:32:C4:24:4E:78:39:05:32:1B:08:AF:B2:D1:73:96:3E:25:43:05:5E:EC:FA:08:12:3D:B4 alt names: ["DNS:serveur-test.domain.fr"]
Errh, is it "test-server", or "serveur-test"?
Anyway, try to remove the certificate from both Puppet server and agent, then run the agent again, so that it creates a new certificate (which you need to sign again, unless you have autosigning enabled and configured for "domain.fr".
HTH...
Dirk
--
Dirk Heinrichs Senior Systems Engineer, Delivery Pipeline OpenText ™ Discovery | Recommind Phone: +49 2226 15966 18 Email: dhei...@opentext.com Website: www.recommind.de Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E- Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.
puppetstan
May 28, 2025, 11:06:43 AMMay 28
to Puppet Users
Thank you, Dirk Heinrichs.
Sorry for my late reply.
The server is serveur-test.domain.fr
I tested what you told me.
1 - On the Windows client server (serveur-test.domain.fr) I deleted the directory : C:\ProgramData\PuppetLabs\puppet\etc\ssl
2 - On the puppet server I cleanup certificate
# puppetserver ca clean --certname serveur-test.domain.fr
Certificate for serveur-test.domain.fr has been revoked
Cleaned files related to serveur-test.domain.fr
C:\Users\Administrateur>puppet agent -t
Info: Creating a new SSL key for serveur-test.domain.fr
Info: Caching certificate for ca
Info: csr_attributes file loading from C:/ProgramData/PuppetLabs/puppet/etc/csr_attributes.yaml
Info: Creating a new SSL certificate request for serveur-test.domain.fr
Info: Certificate Request fingerprint (SHA256): 61:5F:8C:E0:97:17:FA:B7:41:2F:96:C9:EB:F3:71:65:E7:B8:09:C0:27:BB:EA:6A:39:92:D6:68:67:94:AC:12
Info: Caching certificate for serveur-test.domain.fr
Error: request https://puppet.domain.fr:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 state=error: certificate verify failed
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Exiting; failed to retrieve certificate and waitforcert is disabled
4 - On the puppet server I check the presence of the certificate
The certificate is signed
# puppetserver ca list -a |grep test
serveur-test.domain.fr (SHA256) 66:3E:3E:EE:EA:79:AF:0D:E4:46:9D:29:C9:68:F8:17:4E:EE:8E:FF:41:A5:85:03:1A:D0:77:1E:31:32:B5:A5 alt names: ["DNS: serveur-test.domain.fr"]
Sorry for my late reply.
The server is serveur-test.domain.fr
I tested what you told me.
1 - On the Windows client server (serveur-test.domain.fr) I deleted the directory : C:\ProgramData\PuppetLabs\puppet\etc\ssl
2 - On the puppet server I cleanup certificate
# puppetserver ca clean --certname serveur-test.domain.fr
Certificate for serveur-test.domain.fr has been revoked
Cleaned files related to serveur-test.domain.fr
3 - On the client server windows I launch "puppet agent -t "
The certificate is created but then I get an error
Info: Caching certificate for ca
Info: csr_attributes file loading from C:/ProgramData/PuppetLabs/puppet/etc/csr_attributes.yaml
Info: Creating a new SSL certificate request for serveur-test.domain.fr
Info: Certificate Request fingerprint (SHA256): 61:5F:8C:E0:97:17:FA:B7:41:2F:96:C9:EB:F3:71:65:E7:B8:09:C0:27:BB:EA:6A:39:92:D6:68:67:94:AC:12
Info: Caching certificate for serveur-test.domain.fr
Error: request https://puppet.domain.fr:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 state=error: certificate verify failed
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Exiting; failed to retrieve certificate and waitforcert is disabled
4 - On the puppet server I check the presence of the certificate
The certificate is signed
# puppetserver ca list -a |grep test
serveur-test.domain.fr (SHA256) 66:3E:3E:EE:EA:79:AF:0D:E4:46:9D:29:C9:68:F8:17:4E:EE:8E:FF:41:A5:85:03:1A:D0:77:1E:31:32:B5:A5 alt names: ["DNS: serveur-test.domain.fr"]
I don't understand this certificate error: error : certificate verify failed
Regards
Stan
Dirk Heinrichs
Jun 23, 2025, 1:46:14 AMJun 23
to puppet...@googlegroups.com
Am Mittwoch, dem 28.05.2025 um 08:06 -0700 schrieb puppetstan:
Error: request https://puppet.domain.fr:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 state=error: certificate verify failedError: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.domain.fr]
Any chance the Puppet server certificate is invalid (maybe expired, contains wrong names, etc)? Seems like the client doesn't trust it.
HTH...
Dirk
--
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhei...@opentext.com
Website: www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten
Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.
Reply all
Reply to author
Forward
0 new messages