Issue #19179 has been reported by Luigi Martin Petrella. ---------------------------------------- Bug #19179: Certificate verify fails without indications https://projects.puppetlabs.com/issues/19179
Author: Luigi Martin Petrella Status: Unreviewed Priority: High Assignee: Category: Target version: 3.1.0 Affected Puppet version: Keywords: ruby openssl redhat Branch: I have a puppet master on Centos 6.3 connected and working properly with other Centos 6.3 agent. I installed puppet agent via gems on a RED HAT 4 node. This is what happens when I try to sign certificate for the new node: AGENT `[root@FP2 ~]$ puppet agent -t Info: Creating a new SSL key for fp2 Info: Caching certificate for ca Info: Creating a new SSL certificate request for fp2 Info: Certificate Request fingerprint (SHA1): 35:51:A0:12:CF:2E:F7:73:22:C3:5E:51:DC:03:AF:4C:FC:54:5C:10 Exiting; no certificate found and waitforcert is disabled` MASTER `[root@puppet centos]# puppet cert list "fp2" (SHA1) 35:51:A0:12:CF:2E:F7:73:22:C3:5E:51:DC:03:AF:4C:FC:54:5C:10 [root@puppet centos]# puppet cert sign fp2 Notice: Signed certificate request for fp2 Notice: Removing file Puppet::SSL::CertificateRequest fp2 at '/var/lib/puppet/ssl/ca/requests/fp2.pem'` AGENT ` [root@FP2 ~]$ puppet agent -t Info: Caching certificate for fp2 Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=Puppet CA: master] Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=Puppet CA: master] Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=Puppet CA: master] Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=Puppet CA: master] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=Puppet CA: master] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=Puppet CA: master]` I tryied several times to clear certificare on master and agent but I have always the same result. To help to understand and debug the issue, here are some other informations: - clocks are syncronized on server and agent -I installed puppet agent on Red Hat 4 node using this procesure: Install ruby a. wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz b. tar -xzvf ruby-1.8.7.tar.gz c. cd ruby-1.8.7 d. ./configure e. make f. make install Install rubygems a. wget http://rubyforge.org/frs/download.php/70696/rubygems-1.3.7.tgz b. tar xvzf rubygem*.tgz c. cd rubygem* d. ruby setup.rb Install library openssl-devel (needed to instal openssl support for ruby, otherwise nothing works) a. wget ftp://ftp.pbone.net/mirror/ftp.wesmo.com/pub/redhat/i386/openssl-devel-0.9.7-1.i386.rpm b. rpm –i openssl-devel-0.9.7-1.i386.rpm (Note: 0.9.7 is the most updated version of openssl library that can be installed on red hat 4) Install openssl support for ruby a. cd /${ruby_src}/ext/openssl b. ruby extconf.rb c. make d. make install a. Gem install puppet - puppet.conf is the same on working and non-working agent I'm afraid this problem is related to openssl... `rpm -qa | grep openssl`: On Centos (master and working nodes) `openssl-devel-1.0.0-25.el6_3.1.i686 openssl-1.0.0-25.el6_3.1.i686` on Red Hat 4 agent: `openssl-0.9.7a-43.17.el4_6.1 openssl-devel-0.9.7-1` Hope someone could help.. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
