Issue #8858 has been updated by David K.
I'm having the same problem with ruby 1.9.3 and puppet 1.7.9/11/12rc2. With
this new setup puppet refuses to talk to the puppetmaster at all. Given the fix
in #9084 I believe this is related to that bug as well.
The problem appears as follows:
* For hostcert and localcacert creation (the files in /etc/puppet/ssl/certs)
puppet needs to connect to the puppetmaster over SSL
* There there is no localcacert file, it cannot verify the connection (this is
where the fixes in #9084 manually copy them and setup openssl)
* hostcert and localcacert are not created since it can't verify the
connection, and from here on nothing works.
It seems that (unless I am really misunderstanding something) we should not
care about VERIFY_PEER when we are setting up the certs. We should only be
verifying the certs if we /actually/ have them to verify against. Does that
make sense?
<pre>
--- http_pool.rb.ORIG 2012-03-09 12:51:21.000000000 -0700
+++ http_pool.rb 2012-03-09 13:25:06.000000000 -0700
@@ -12,6 +12,7 @@
# Use cert information from a Puppet client to set up the http object.
def self.cert_setup(http)
# Just no-op if we don't have certs.
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
return false unless FileTest.exist?(Puppet[:hostcert]) and
FileTest.exist?(Puppet[:localcacert])
http.cert_store = ssl_host.ssl_store
</pre>
Fixes all problems for me right now. I'm sure someone with greater insight can
come up with a better solution/idea to this. Maybe even an idea of where/why
this got changed.
----------------------------------------
Bug #8858: Puppet registration with master with Ruby 1.9.2
https://projects.puppetlabs.com/issues/8858#change-56468
Author: Ryan Conway
Status: Needs More Information
Priority: Normal
Assignee: Ryan Conway
Category:
Target version:
Affected Puppet version:
Keywords:
Branch:
When using Puppet 1.9.2, when trying to register the agent with a master, it
fails to obtain the master certificate, and therefore fails to complete
registration or retrieve and apply a configuration.
/usr/local/bin/puppetd --server mypuppetmaster.domain.com --no-daemonize
--onetime
produces errors along the lines of:
err: Could not request certificate: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
In order to fix this, you need to do the following *before* running the initial
registration:
Obtain your openssl base directory:
openssl version -d
This results in something like /usr/lib/openssl/
Copy your PuppetMaster CA.pem to somewhere, like
/etc/puppet/ssl/certs/masterca.pem
Generate a hash of the masterca.pem file:
openssl x509 -hash -noout -in /etc/puppet/ssl/certs/masterca.pem
This results in something like '520f3686'.
Symlink the hash into your openssl basedir, within the certs directory,
appending .0:
ln -s /etc/puppet/ssl/certs/masterca.pem /usr/lib/openssl/certs/520f3686.0
Finally, re-run the registration, which should now work as expected.
/usr/local/bin/puppetd --server mypuppetmaster.domain.com --no-daemonize
--onetime
The workaround I found on the following thread:
https://groups.google.com/group/puppet-users/browse_thread/thread/fa49f1b9b36ceac6/72bf694d4e2f3012?pli=1
Note: if you have already tried to register with a master, you will need to
clear your /etc/puppet/ssl directory, before trying these steps, otherwise the
cached versions will be used, and the workaround will fail.
This only seems to affect Ruby 1.9.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
