Issue #15290 has been updated by James Turnbull. Status changed from Unreviewed to Needs More Information Assignee changed from eric sorenson to Ashley Penney
---------------------------------------- Bug #15290: AWS ssl issues on first run https://projects.puppetlabs.com/issues/15290#change-68823 Author: Ashley Penney Status: Needs More Information Priority: Normal Assignee: Ashley Penney Category: SSL Target version: Affected Puppet version: Keywords: Branch: Hi, I've run into a really strange and horrible bug. I can get you guys a copy of the AMI we use for production (someone in puppetlabs at least so I can pretend to be security aware) where I can repeat this over and over. I can even bring up a machine and let someone check in against our internal server and show you the signed certificates etc. The workflow: <pre> yum install puppet add pluginsync = true and server = internal.server to puppet.conf puppetd -tv </pre> This autosigns the certificate. puppetd -tv This FAILS due to ssl errors. <pre> rm -rf /var/lib/puppet/ssl on the ec2 node and puppet cert clean hostname on the master. puppetd -tv </pre> signs the cert puppetd -tv works perfectly fine. Here's the output: <pre> [root@ui ~]# puppetd -tv --server per5-ops-puppet1.sys.perimeterusa.com 8:07 root@ui ~]# puppetd -tv info: Creating a new SSL certificate request for ui.unity.perimeterusa.com info: Certificate Request fingerprint (md5): EC:8A:AA:4B:1B:6B:76:66:BE:3F:2A:09:5F:C6:6C:D2 info: Caching certificate for ui.unity.perimeterusa.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client Could not retrieve file metadata for puppet://per5-ops-puppet1.sys.perimeterusa.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb info: Loading facts in /var/lib/puppet/lib/facter/augeasversion.rb info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb info: Loading facts in /var/lib/puppet/lib/facter/mysql.rb info: Loading facts in /var/lib/puppet/lib/facter/location.rb info: Loading facts in /var/lib/puppet/lib/facter/gateway.rb info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb info: Loading facts in /var/lib/puppet/lib/facter/rhelversion.rb err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client </pre> At that point we have to delete/clean the certs and try again and it works. On the puppet master I see a signed cert after that first run but it seems to sign it .. wrongly. I just added puppet to 7 machines and all seven exhibited this behavior with 2.7.17. I've seen this with previous versions of Puppet too, however. These machines are checking in to Puppet (and Foreman) and have blank profiles so they are set to include no classes and make no changes. There's no hostname change, no clock changes, nothing. The -only- change between the two runs is we puppet cert clean and rm -rf /var/lib/puppet/ssl. I am completely lost and I'm not sure what other information I can give at this point. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
