Issue #15290 has been updated by charles walker.
Hi,
I have the same issue also on AWS.
I create a server using a default AWS AMI on which I install puppet to tune it.
From time to time it fails with this error...
Stoping this server and restarting a new one with the same exact script and
process solve the issue so I don't think it is on Puppet Master side (since I
do not change anything and it works again with a new server) but rather a
random issue on the client side.
cat auth.conf
{{{
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
path /certificate/
auth any
method find
allow *
path /certificate_request
auth any
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any
}}}
----------------------------------------
Bug #15290: AWS ssl issues on first run
https://projects.puppetlabs.com/issues/15290#change-94379
* Author: Ashley Penney
* Status: Needs More Information
* Priority: Normal
* Assignee: Ashley Penney
* Category: SSL
* Target version:
* Affected Puppet version:
* Keywords:
* Branch:
----------------------------------------
Hi,
I've run into a really strange and horrible bug. I can get you guys a copy of
the AMI we use for production (someone in puppetlabs at least so I can pretend
to be security aware) where I can repeat this over and over. I can even bring
up a machine and let someone check in against our internal server and show you
the signed certificates etc.
The workflow:
<pre>
yum install puppet
add pluginsync = true and server = internal.server to puppet.conf
puppetd -tv
</pre>
This autosigns the certificate.
puppetd -tv
This FAILS due to ssl errors.
<pre>
rm -rf /var/lib/puppet/ssl on the ec2 node and puppet cert clean hostname on
the master.
puppetd -tv
</pre>
signs the cert
puppetd -tv works perfectly fine.
Here's the output:
<pre>
[root@ui ~]# puppetd -tv --server per5-ops-puppet1.sys.perimeterusa.com
8:07 root@ui ~]# puppetd -tv
info: Creating a new SSL certificate request for ui.unity.perimeterusa.com
info: Certificate Request fingerprint (md5):
EC:8A:AA:4B:1B:6B:76:66:BE:3F:2A:09:5F:C6:6C:D2
info: Caching certificate for ui.unity.perimeterusa.com
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using
'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed. This is often because the time is
out of sync on the server or client
err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed. This
is often because the time is out of sync on the server or client Could not
retrieve file metadata for
puppet://per5-ops-puppet1.sys.perimeterusa.com/plugins: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed. This
is often because the time is out of sync on the server or client
info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
info: Loading facts in /var/lib/puppet/lib/facter/augeasversion.rb
info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb
info: Loading facts in /var/lib/puppet/lib/facter/mysql.rb
info: Loading facts in /var/lib/puppet/lib/facter/location.rb
info: Loading facts in /var/lib/puppet/lib/facter/gateway.rb
info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb
info: Loading facts in /var/lib/puppet/lib/facter/rhelversion.rb
err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed. This
is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed. This is often because the
time is out of sync on the server or client
</pre>
At that point we have to delete/clean the certs and try again and it works. On
the puppet master I see a signed cert after that first run but it seems to sign
it .. wrongly. I just added puppet to 7 machines and all seven exhibited this
behavior with 2.7.17. I've seen this with previous versions of Puppet too,
however. These machines are checking in to Puppet (and Foreman) and have blank
profiles so they are set to include no classes and make no changes. There's no
hostname change, no clock changes, nothing. The -only- change between the two
runs is we puppet cert clean and rm -rf /var/lib/puppet/ssl. I am completely
lost and I'm not sure what other information I can give at this point.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
