Issue #15290 has been updated by eric sorenson. Description updated Category set to SSL Assignee set to eric sorenson
Hi Ashley can you get a node into this state and then use the openssl command to check the connection? <pre> openssl s_client -connect [server hostname]:8140-showcerts -cert [path to cert.pem] -key [path to priv key] -cacert [path to ca.pem] </pre> ---------------------------------------- Bug #15290: AWS ssl issues on first run https://projects.puppetlabs.com/issues/15290#change-67461 Author: Ashley Penney Status: Unreviewed Priority: Normal Assignee: eric sorenson Category: SSL Target version: Affected Puppet version: Keywords: Branch: Hi, I've run into a really strange and horrible bug. I can get you guys a copy of the AMI we use for production (someone in puppetlabs at least so I can pretend to be security aware) where I can repeat this over and over. I can even bring up a machine and let someone check in against our internal server and show you the signed certificates etc. The workflow: <pre> yum install puppet add pluginsync = true and server = internal.server to puppet.conf puppetd -tv </pre> This autosigns the certificate. puppetd -tv This FAILS due to ssl errors. <pre> rm -rf /var/lib/puppet/ssl on the ec2 node and puppet cert clean hostname on the master. puppetd -tv </pre> signs the cert puppetd -tv works perfectly fine. Here's the output: <pre> [root@ui ~]# puppetd -tv --server per5-ops-puppet1.sys.perimeterusa.com 8:07 root@ui ~]# puppetd -tv info: Creating a new SSL certificate request for ui.unity.perimeterusa.com info: Certificate Request fingerprint (md5): EC:8A:AA:4B:1B:6B:76:66:BE:3F:2A:09:5F:C6:6C:D2 info: Caching certificate for ui.unity.perimeterusa.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client Could not retrieve file metadata for puppet://per5-ops-puppet1.sys.perimeterusa.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb info: Loading facts in /var/lib/puppet/lib/facter/augeasversion.rb info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb info: Loading facts in /var/lib/puppet/lib/facter/mysql.rb info: Loading facts in /var/lib/puppet/lib/facter/location.rb info: Loading facts in /var/lib/puppet/lib/facter/gateway.rb info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb info: Loading facts in /var/lib/puppet/lib/facter/rhelversion.rb err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client </pre> At that point we have to delete/clean the certs and try again and it works. On the puppet master I see a signed cert after that first run but it seems to sign it .. wrongly. I just added puppet to 7 machines and all seven exhibited this behavior with 2.7.17. I've seen this with previous versions of Puppet too, however. These machines are checking in to Puppet (and Foreman) and have blank profiles so they are set to include no classes and make no changes. There's no hostname change, no clock changes, nothing. The -only- change between the two runs is we puppet cert clean and rm -rf /var/lib/puppet/ssl. I am completely lost and I'm not sure what other information I can give at this point. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
