Yeah, great, stupid me... m( I was pretty sure i tried that before, but obviously i didn't.
Had to add the DigiCert_FullChain.pem to /var/lib/puppet/ssl/ca/ca_crt.pem. Without it, it of course could never verify the certificate. Interesting that it worked fine on the old server (copied all the certs and configs). Urs On Thursday, December 15, 2016 at 4:38:16 PM UTC+1, Urs Weiss wrote: > > Hi, > > I migrated my old installation from a CentOS 6 machine to CentOS 7. > Everything went quite fine and all clients connected to the new machine > again. So far so good. > > Finally i wanted to use our DigiCert certificate to be used for Formans > frontend, as we did on the old one. But somehow i can't get it to work. As > soon i replace the cert, the Puppet clients start to fail: > > Error: Could not retrieve catalog from remote server: Error 400 on SERVER: >> Failed when > > searching for node foo.bar.com: Failed to find foo.bar.com via exec: >> Execution of '/etc/puppet/node.rb foo.bar.com' returned 1: >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run > > > A "sudo -u puppet /etc/puppet/node.rb foo.bar.com" on the server returns: > >> Could not send facts to Foreman: SSL_connect returned=1 errno=0 >> state=SSLv3 read server certificate B: certificate verify failed > > > If i check the certs i use with the "katello-certs-check" everything looks > fine: > >> Check private key matches the certificate: [OK] >> Check ca bundle verifies the cert file: [OK] > > > > The following values in the answers file were changed: > >> server_ssl_chain: /etc/pki/tls/certs/DigiCertCA_FullChain.crt >> server_ssl_cert: /etc/pki/tls/certs/certificate.crt >> server_ssl_key: /etc/pki/tls/private/private.key >> puppet_ssl_ca: /etc/pki/tls/certs/DigiCertCA_FullChain.crt > > > Have not touched anything else in the file. > > Currently i'm still on 1.12.4 because the update to 1.13.x didn't fully > works either (foreman-installer fails to execute. Different story...). So i > first would like to bring it fully back to work on 1.12.4. > > After more than a day not getting one step further i'm a bit out of ideas. > What else could i try? Have i missed something? > I haven't found any good way to debug this in more detail to find the root > cause. > > > Thanks a lot, > Urs > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
