Issue #4680 has been updated by eric sorenson.
So-- there seem to be a couple of issues conflated here. The patch that Daniel wrote is a fix for the issue identified by Jesse Wolfe in update #4680#note-3, which clearly needed attention. There may be some additional problem, not covered by that fix, that David Swift in update #4680#note-7 and potentially Nico, the original poster, are seeing, where the CSR is not received. (I.e. jesse's original diagnosis may have misidentified the problem) It's hard to tell with the evidence at hand though, because Nico's server log stops before CSR receiving and processing normally happens (that `Could not find certificate for x.y.z` error is logged as the client requests its own certificate, which corresponds to the second `peer certificate won't be verified` message on the client. So David -- since Nico's last update was a couple of years ago and he probably doesn't have the situation close to hand any more -- can you help troubleshoot this? What would be very helpful is to see both HTTP access logs and puppet --debug logs from the master around the time a CSR is sent. That would help to determine whether the CSR is getting lost in the HTTP->Application->CA flow on the master, or whether the client erroneously thinks it sent something when in fact nothing ever hit the http server on the master. I kind of feel like that should happen on a new bug since this bug's ID is now associated with the code branch for 3.x, even if the basis on which that happened was not correct. ---------------------------------------- Bug #4680: agent will never resend a certificate request, preventing it from connecting to the master, even if the master is in autosign mode https://projects.puppetlabs.com/issues/4680#change-71216 Author: Nico Schottelius Status: In Topic Branch Pending Review Priority: High Assignee: eric sorenson Category: SSL Target version: 2.7.x Affected Puppet version: 0.25.5 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/1156 Problem: Client should transfer certificate request, master should autosign it. Current behaviour: Master outputs info: Could not find certificate for 'ikr31.ethz.ch' Client outputs warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate But there's no csr on the master. Tried with and without the new auth.conf. Details: Client: <pre> root@ikr31:~# puppet --version 0.25.4 root@ikr31:~# puppetd --server puppet.inf.ethz.ch --test --ca_port 19400 --debug --color no --waitforcert 2 debug: Failed to load library 'selinux' for feature 'selinux' debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/ikr31.ethz.ch.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/run/puppet/puppetd.pid]: Autorequiring File[/var/run/puppet] debug: /File[/var/lib/puppet/ssl/public_keys/ikr31.ethz.ch.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: Finishing transaction 69844402770620 with 0 changes debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate_request for ikr31.ethz.ch, good until debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca, good until Tue Sep 02 13:24:09 UTC 2014 warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate ^CCancelling startup </pre> <pre> Master: [10:38] sans:~# /usr/bin/puppet master --servertype=webrick --masterport=19400 --debug --no-daemonize --color false --trace warning: You have configuration parameter $ssl_client_header specified in [puppetmasterd], which is a deprecated section. I'm assuming you meant [master] warning: You have configuration parameter $templatedir specified in [puppetmasterd], which is a deprecated section. I'm assuming you meant [master] warning: You have configuration parameter $modulepath specified in [puppetmasterd], which is a deprecated section. I'm assuming you meant [master] debug: Failed to load library 'selinux' for feature 'selinux' debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing debug: /File[/var/lib/puppetmaster/ssl/public_keys/sans.ethz.ch.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/public_keys] debug: /File[/var/lib/puppetmaster/ssl/certs]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/reports]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/lib]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppetmaster/ssl/certificate_requests]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/server_data]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/ssl/certs/sans.ethz.ch.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/certs] debug: /File[/var/lib/puppetmaster/ssl]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/log/puppet] debug: /File[/var/lib/puppetmaster/ssl/public_keys]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/yaml]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/ssl/private_keys/sans.ethz.ch.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/private_keys] debug: /File[/var/lib/puppetmaster/bucket]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppetmaster/rrd]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppetmaster/state]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/facts]: Autorequiring File[/var/lib/puppetmaster] debug: /File[/var/lib/puppetmaster/ssl/private]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/ssl/private_keys]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/puppet/manifests] debug: /File[/var/lib/puppetmaster/ssl/crl.pem]: Autorequiring File[/var/lib/puppetmaster/ssl] debug: /File[/var/lib/puppetmaster/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/certs] debug: Finishing transaction 70355901938100 debug: /File[/var/lib/puppetmaster/ssl/ca/inventory.txt]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppetmaster/ssl/ca/private] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/signed]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/private]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/serial]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: /File[/var/lib/puppetmaster/ssl/ca/requests]: Autorequiring File[/var/lib/puppetmaster/ssl/ca] debug: Finishing transaction 70355900300400 debug: Using cached certificate for ca debug: Using cached certificate for ca debug: Using cached certificate for sans.ethz.ch notice: Starting Puppet master version 2.6.0 err: Removing mount files: /etc/puppet/files does not exist info: mount[files]: allowing 129.132.12.0/24 access [... many more permissions allowed...] debug: No modules mount given; autocreating with default permissions debug: Finishing transaction 70355918274780 info: Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/file'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate_revocation_list/ca'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/report'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate/ca'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate/'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/certificate_request'(non-auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/status'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Inserting default '/resource'(auth) acl because /etc/puppet/auth.conf doesn't exist info: Could not find certificate for 'ikr31.ethz.ch' </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
