simian.client.client.SimianClientError: Auth error: Sn is not signed by server cert
/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/client/gae_client.zip/google/appengine/tools/dev_appserver_login.py:33: DeprecationWarning: the md5 module is deprecated; use hashlib instead
/usr/local/munki/simian/lib/python2.6/site-packages/tlslite-0.3.8-py2.6.egg/tlslite/utils/cryptomath.py:9: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
WARNING:root:Ignoring invalid facter output line: sp_local_host_name =>
WARNING:root:facter hostname empty; fetching from sys_config
DEBUG:root:SimianClient.__init__(https://windlesham-ict-osx-1062.appspot.com [default=False], 443, True)
DEBUG:root:LoadHost(https://windlesham-ict-osx-1062.appspot.com, 443)
DEBUG:root:LoadHost(): hostname = windlesham-ict-osx-1062.appspot.com, port = None, use_https = True
DEBUG:root:_LoadRootCertChain()
DEBUG:root:_Get(root_ca_cert_chain_pem_path)
DEBUG:root:_GetExternalValue(root_ca_cert_chain_pem_path)
DEBUG:root:_GetExternalConfiguration(settings)
WARNING:root:Root CA Cert Chain was EMPTY!
DEBUG:root:GetSystemRootCACertChain: Executing ['/usr/bin/security', 'find-certificate', '-a', '-p', '/System/Library/Keychains/SystemRootCertificates.keychain']
DEBUG:root:GetSystemRootCACertChain: returning 323284 bytes
DEBUG:root:LoadCaParameters
DEBUG:root:_Get(ca_id)
DEBUG:root:_GetExternalValue(ca_id)
DEBUG:root:_GetExternalConfiguration(settings)
DEBUG:root:_Get(ca_public_cert_pem)
DEBUG:root:_GetExternalPem(ca_public_cert_pem)
DEBUG:root:_GetExternalConfiguration(ca_public_cert.pem)
DEBUG:root:_Get(server_public_cert_pem)
DEBUG:root:_GetExternalPem(server_public_cert_pem)
DEBUG:root:_GetExternalConfiguration(server_public_cert.pem)
DEBUG:root:_Get(required_issuer)
DEBUG:root:_GetExternalValue(required_issuer)
DEBUG:root:Loaded ca_params
DEBUG:root:_Get(ca_public_cert_pem)
DEBUG:root:_GetExternalPem(ca_public_cert_pem)
DEBUG:root:_Get(server_public_cert_pem)
DEBUG:root:_GetExternalPem(server_public_cert_pem)
DEBUG:root:_Get(required_issuer)
DEBUG:root:_GetExternalValue(required_issuer)
DEBUG:root:Loaded default_ca_params
DEBUG:root:SimianAuthClient._GetPuppetSslDetails
DEBUG:root:GetFacter: facter cache mtime is 2015-09-08 23:35:10
DEBUG:root:GetFacter: reading recent facter cache
DEBUG:root:GetFacter: read 8 entities
DEBUG:root:Certname from facter: "foo-cert-name"
DEBUG:root:_GetPuppetSslDetails(foo-cert-name.pem)
DEBUG:root:_ValidatePuppetSslCert: required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com
DEBUG:root:_ValidatePuppetSslCert: default_required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com
DEBUG:root:_ValidatePuppetSslCert: /etc/simian/ssl/certs/foo-cert-name.pem
DEBUG:root:Skipped cert foo-cert-name.pem, IO Error [Errno 2] No such file or directory: '/etc/simian/ssl/certs/foo-cert-name.pem'
ERROR:root:Failed to harvest Puppet SSL cert facter specified.
DEBUG:root:_GetNewestPuppetSslCert found certs C02Q3KQPFVH3.pem
DEBUG:root:_ValidatePuppetSslCert: required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com
DEBUG:root:_ValidatePuppetSslCert: default_required_issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com
DEBUG:root:_ValidatePuppetSslCert: /etc/simian/ssl/certs/C02Q3KQPFVH3.pem
DEBUG:root:Looking at issuer C=GB,ST=West Sussex,L=Washington,O=Windlesham House School,OU=IT Department,CN=ws-osxserver.windlesham.local,emailAddress=sysadmin@windlesham.com
DEBUG:root:_GetPuppetSslDetails found cert C02Q3KQPFVH3.pem with timestamp 1441751172.0
DEBUG:root:_GetPuppetSslDetails priv should be /etc/simian/ssl/private_keys/C02Q3KQPFVH3.pem
DEBUG:root:_Get(ca_id)
DEBUG:root:_GetExternalValue(ca_id)
DEBUG:root:_GetExternalConfiguration(settings)
DEBUG:root:_Get(ca_public_cert_pem)
DEBUG:root:_GetExternalPem(ca_public_cert_pem)
DEBUG:root:_Get(server_public_cert_pem)
DEBUG:root:_GetExternalPem(server_public_cert_pem)
DEBUG:root:_Get(required_issuer)
DEBUG:root:_GetExternalValue(required_issuer)
DEBUG:root:Do(POST, /auth) try #1
DEBUG:root:Connecting to https://windlesham-ict-osx-1062.appspot.com:None
DEBUG:root:Loaded 323284 bytes of CA cert chain and configured ctx
DEBUG:root:SSL configuring with context
DEBUG:root:SSL connect(('windlesham-ict-osx-1062.appspot.com', 443))
DEBUG:root:IsValidCert() ok=0 cert=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA, returning 0
DEBUG:root:SSL connected ('windlesham-ict-osx-1062.appspot.com', 443)
DEBUG:root:Requesting POST /auth
DEBUG:root:Waiting for response
DEBUG:root:Response status 200
Traceback (most recent call last):
File "/usr/local/munki/simian_client.py", line 87, in <module>
sys.exit(main(sys.argv[1:]))
File "/usr/local/munki/simian_client.py", line 73, in main
preflight.RunPreflight(runtype, server_url=server_url)
File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/mac/client/preflight.py", line 431, in RunPreflight
secure_config, client_id, user_settings, client_exit)
File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/mac/client/preflight.py", line 140, in LoginToServer
token = client.GetAuthToken()
File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/client/client.py", line 1828, in GetAuthToken
self.DoSimianAuth()
File "/usr/local/munki/simian/lib/python2.6/site-packages/simian-2.4-py2.6.egg/simian/client/client.py", line 1369, in DoSimianAuth
' '.join(self._auth1.ErrorOutput())))
simian.client.client.SimianClientError: Auth error: Sn is not signed by server cert
--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
All sorted Justin. My required issuer was at fault!
Hesan
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discuss+unsubscribe@googlegroups.com.
openssl x509 -in newcerts/ca_public_cert.pem -issuer -noout
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discuss+unsubscribe@googlegroups.com.
openssl x509 -in /Users/missinformed/dev/certificates/vault/certs/simian-example-XXXXX.appspot.com_crt -issuer -nooutissuer= /CN=example-XXXXX-production-root-simian
# The full DN of the CA that Simian certificates are signed by.required_issuer = CN=example-XXXXX-production-root-simian