On Fri, 2011-02-18 at 00:44 -0800, Eric Sorenson wrote: > I have a couple of hosts which are having trouble talking to the puppet VIP: > > puppetd[4554]: could not retrieve catalog from remote server: ssl_connect > returned=1 errno=0 state=sslv3 read server certificate b: certificate verify > failed > puppetd[4554]: Not using cache on failed catalog > puppetd[4554]: Could not retrieve catalog; skipping run > puppetd[4961]: Retrieving plugin > puppetd[4961]: (/File[/var/lib/puppet/lib]) Failed to generate additional > resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 > read server certificate B: certificate verify failed > puppetd[4961]: (/File[/var/lib/puppet/lib]) Failed to retrieve current state > of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server > certificate B: certificate verify failed Could not retrieve file metadata for > puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed
This certainly means your local node CA cert is not able to verify the server proposed certificate (probably because the server advertised cert hasn't been signed by this CA, or you use a CA chain but don't send the full chain to the client). > I've gone through the usual SSL troubleshooting: the clocks are in > sync, the client cert matches the one issued to it by the server (and > is decodable by the private_key). > > When I use tshark to watch the ssl traffic, I see that the client is > rejecting the server with the following ssl error. The connection > never makes it to the back-end server, because the client hangs up. > (10.1.1.1 is this client, 10.0.0.1 is the puppet vip) > > [root@db9 /var/lib/puppet/ssl]# tshark -n -i bond0 -d tcp.port==8140,ssl > -s2000 'port 8140 and len > 60' > 0.000000 10.1.1.1 -> 10.0.0.1 TCP 29718 > 8140 [SYN] Seq=0 Win=5840 Len=0 > MSS=1460 TSV=1862094055 TSER=0 WS=7 > 0.001585 10.1.1.1 -> 10.0.0.1 SSLv2 Client Hello > 0.001713 10.0.0.1 -> 10.1.1.1 TLSv1 Server Hello, Certificate, Certificate > Request, Server Hello Done > 0.002208 10.1.1.1 -> 10.0.0.1 TLSv1 Alert (Level: Fatal, Description: > Unknown CA) > > But openssl with the same cert and key that puppet is using passes > verification and connects successfully: > > openssl s_client -connect puppet:8140 -cert certs/db9.domain.com.pem -key > private_keys/db9.domain.com.pem -showcerts -state -verify 2 You didn't ask openssl s_client to actually check the server certificate against the CA cert of the client. Can you try: openssl s_client -connect puppet:8140 -CAfile certs/ca.pem -cert certs/db9.domain.com.pem -key private_keys/db9.domain.com.pem -showcerts -state -verify 2 > 103.115871 10.1.1.1 -> 10.0.0.1 TCP 40758 > 8140 [SYN] Seq=0 Win=5840 Len=0 > MSS=1460 TSV=1862197169 TSER=0 WS=7 > 103.116949 10.1.1.1 -> 10.0.0.1 SSLv2 Client Hello > 103.117078 10.0.0.1 -> 10.1.1.1 TLSv1 Server Hello, Certificate, Certificate > Request, Server Hello Done > 103.121057 10.1.1.1 -> 10.0.0.1 TLSv1 Certificate, Client Key Exchange, > Certificate Verify, Change Cipher Spec, Encrypted Handshake Message > 103.122162 10.0.0.1 -> 10.1.1.1 TLSv1 Change Cipher Spec, Encrypted Handshake > Message > > Any thoughts on what could be causing this failure? I've seen quite a > few odd ones (#3120, #4948 for example) but I've been gnawing at this > one all day and haven't figured it out. For an unknown reason your local node CA cert is not correct. You can solve this by overwriting it with the main CA cert, or check that your server certificate is indeed correctly signed by the CA you think it was signed with. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
