If I query the puppet port via SSL:
openssl s_client -connect server.dev.domain.com:8140
CONNECTED(00000003)
depth=1 /CN=ca
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=server.dev.domain.com
i:/CN=ca
1 s:/CN=ca
i:/CN=ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe
Fw0xMDA3MjUxNDUyMTlaFw0xNTA3MjQxNDUyMTlaMCIxIDAeBgNVBAMMF2hwanMw
MS5kZXYuaW5zdGluZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx
rlx6QM7Suzce2AMQixSxh+GyuiGDXd62Z45+ClhS5IRjRawl1ncy3av/9HWF+B4W
g35ZlYXTrQcXZhmd+HOcMwMuIMZzug8Z+wR912wagsZVWI7FuvfMdYDJYxbS8CbW
S9OpD0fuehWF1fH8wFAxsjajCFvkU0WhcqcNUsTgcQIDAQABo4HlMIHiMDgGCWCG
SAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR4e/0nJKJU5+KxVMMxj/F2u/cr
CTALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
BgEFBQcDBDBDBgNVHREEPDA6ggZwdXBwZXSCF2hwanMwMS5kZXYuaW5zdGluZXQu
Y29tghdwdXBwZXQuZGV2Lmluc3RpbmV0LmNvbTANBgkqhkiG9w0BAQUFAAOBgQB4
+DXf/Sa2EHvu3vhQllxSYW+g/UzjieDAZMFBFSXy9QKnOdUCWmzUbtYNWcG/1Tjx
QCZbR3s5Y6BKV+fwi5515/Ao8I5ZlReo0NsS3kR4u/pn6V5st2/f4uYHX+eB2Zlf
BtWp/t9g0P/XKayYx7CYlyBjmc4CAxVfYs+OhDDlTg==
-----END CERTIFICATE-----
subject=/CN=server.dev.domain.com
issuer=/CN=ca
---
No client certificate CA names sent
---
SSL handshake has read 1765 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
BC7BD6BE308985441951F5CE8FA701DF5E01EAE4326B05FF0ACA6AA9E78AC2E3
Session-ID-ctx:
Master-Key:
9B417072526ACE3A1477212CA8384933098F2987AAA1AE93288098088CA96163EFF1F0F2ED9946BF3B55ED45A6E5
6E31
Key-Arg : None
Krb5 Principal: None
Start Time: 1280159446
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
closed
On Jul 26, 11:41 am, CraftyTech <[email protected]> wrote:
> Here's the trace:
>
> puppetd -t --trace --debug
> debug: Failed to load library 'selinux' for feature 'selinux'
> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
> not exist
> debug: Puppet::Type::User::ProviderLdap: true value when expecting
> false
> debug: Puppet::Type::User::ProviderPw: file pw does not exist
> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
> dscl does not exist
> debug: Failed to load library 'ldap' for feature 'ldap'
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
> puppet/state]
> debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/
> state]
> debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
> debug: /File[/etc/puppet/ssl/certs/client.dev.domain.com.pem]:
> Autorequiring File[/etc/puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/
> puppet/run]
> debug: /File[/etc/puppet/ssl/private_keys/client.dev.domain.com.pem]:
> Autorequiring File[/etc/puppet/ssl/private_keys]
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
> puppet]
> debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
> debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
> puppet/state]
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
> puppet/ssl]
> debug: /File[/etc/puppet/ssl/public_keys/client.dev.domain.com.pem]:
> Autorequiring File[/etc/puppet/ssl/public_keys]
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
> puppet/ssl]
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
> puppet/ssl/certs]
> debug: Finishing transaction -608390318 with 0 changes
> debug: Using cached certificate for ca, good until Fri Jul 24 15:20:05
> UTC 2015
> debug: Using cached certificate for client.dev.domain.com, good until
> Fri Jul 24 15:21:11 UTC 2015
> debug: Loaded state in 1.08 seconds
> debug: Using cached certificate for ca, good until Fri Jul 24 15:20:05
> UTC 2015
> debug: Using cached certificate for client.dev.domain.com, good until
> Fri Jul 24 15:21:11 UTC 2015
> /usr/lib/ruby/1.8/net/http.rb:586:in `connect'
> /usr/lib/ruby/1.8/net/http.rb:586:in `connect'
> /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'
> /usr/lib/ruby/1.8/net/http.rb:542:in `start'
> /usr/lib/ruby/1.8/net/http.rb:1035:in `request'
> /usr/lib/ruby/1.8/net/http.rb:772:in `get'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
> `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in `ssl_store'
> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
> `cert_setup'
> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in
> `http_instance'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
> `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in
> `retrieve_catalog'
> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark'
> /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/
> core_ext/benchmark.rb:10:in `realtime'
> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in
> `retrieve_catalog'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'
> /usr/lib/ruby/1.8/sync.rb:230:in `synchronize'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in
> `onetime'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
> `exit_on_fail'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'
> /usr/sbin/puppetd:159
> err: Could not retrieve catalog from remote server: certificate verify
> failed
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
> On Jul 26, 11:31 am, CraftyTech <[email protected]> wrote:
>
>
>
> > The times are in Sync via NTP. The SSL are in default location as I
> > didn't define it in puppet.conf. I basically deleted /etc/puppet/
> > ssl, /var/lib/puppet/ssl, Did: puppetca --revoke --all, puppetca --
> > clean --all... and still "certificate verify failed" !!. At this
> > point, I'm willing to start from scratch. Is there anything else I
> > can do to reset my ssl config? This is what's running now on
> > puppetmaster:
> > puppetmasterd --genconfig | grep ssl
> > # ldapssl = false
> > ssl_client_header = SSL_CLIENT_S_DN
> > ssl_client_verify_header = SSL_CLIENT_VERIFY
> > # The default value is '$confdir/ssl'.
> > ssldir = /etc/puppet/ssl
> > # The default value is '$ssldir/private_keys'.
> > privatekeydir = /etc/puppet/ssl/private_keys
> > # The default value is '$ssldir/csr_$certname.pem'.
> > hostcsr = /etc/puppet/ssl/csr_hostname.dev.hostname-fqdn.com.pem
> > hostpubkey = /etc/puppet/ssl/public_keys/hostname.dev.hostname-
> > fqdn.com.pem
> > # The default value is '$ssldir/public_keys'.
> > publickeydir = /etc/puppet/ssl/public_keys
> > # The default value is '$ssldir/private'.
> > privatedir = /etc/puppet/ssl/private
> > hostcert = /etc/puppet/ssl/certs/hostname.dev.hostname-
> > fqdn.com.pem
> > localcacert = /etc/puppet/ssl/certs/ca.pem
> > # The default value is '$ssldir/certs'.
> > certdir = /etc/puppet/ssl/certs
> > # The default value is '$ssldir/certificate_requests'.
> > requestdir = /etc/puppet/ssl/certificate_requests
> > passfile = /etc/puppet/ssl/private/password
> > hostprivkey = /etc/puppet/ssl/private_keys/hostname-FQDN.com.pem
> > # The default value is '$ssldir/crl.pem'.
> > hostcrl = /etc/puppet/ssl/crl.pem
> > capass = /etc/puppet/ssl/ca/private/ca.pass
> > # The default value is '$ssldir/ca'.
> > cadir = /etc/puppet/ssl/ca
> > capub = /etc/puppet/ssl/ca/ca_pub.pem
> > csrdir = /etc/puppet/ssl/ca/requests
> > serial = /etc/puppet/ssl/ca/serial
> > cacert = /etc/puppet/ssl/ca/ca_crt.pem
> > cacrl = /etc/puppet/ssl/ca/ca_crl.pem
> > signeddir = /etc/puppet/ssl/ca/signed
> > cert_inventory = /etc/puppet/ssl/ca/inventory.txt
> > cakey = /etc/puppet/ssl/ca/ca_key.pem
> > caprivatedir = /etc/puppet/ssl/ca/private
>
> > Thanks,
>
> > HEnry
>
> > On Jul 26, 10:11 am, mohit chawla <[email protected]>
> > wrote:
>
> > > I can think of two things - date/time mismatch at server & client. And why
> > > aren't the certificates in /var/lib/puppet (for puppetmaster) ?
>
> > > On Mon, Jul 26, 2010 at 7:30 PM, CraftyTech <[email protected]> wrote:
> > > > Hello All,
>
> > > > So it turns out that after the upgrade and subsequent rollback
> > > > from 2.6, I can't get clients to connect to puppetserver anymore.
> > > > Something got broken with the ssl and I'm having a tough time
> > > > identifying the problem. So far, I've tried puppetca --clean all (and
> > > > hostname specific), I even deleted the /etc/puppet/ssl on both client
> > > > and server, and still verified failed. These are the steps that I
> > > > follow, in order to test:
> > > > On server: puppetca --clean hostname
> > > > On client: puppetd -t --waitforcert 20
> > > > On server: puppetca -l (it shows the client's FQDN)
> > > > On server: puppetca -s "client's FQDN"
> > > > On client: certificate verified failed !!
>
> > > > Here's a sample trace/debug:
>
> > > > puppetd -t --trace --debug
> > > > debug: Failed to load library 'selinux' for feature 'selinux'
> > > > debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
> > > > not exist
> > > > debug: Puppet::Type::User::ProviderLdap: true value when expecting
> > > > false
> > > > debug: Puppet::Type::User::ProviderPw: file pw does not exist
> > > > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
> > > > dscl does not exist
> > > > debug: Failed to load library 'ldap' for feature 'ldap'
> > > > debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/
> > > > puppet/run]
> > > > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
> > > > puppet/ssl]
> > > > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
> > > > puppet/state]
> > > > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
> > > > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> > > > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
> > > > puppet/state]
> > > > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
> > > > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
> > > > puppet/ssl/certs]
> > > > debug:...
>
> read more »
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
