Hi, Are you calling the puppet run with the '--server <puppetmaster>' parameter?
With SSL you basically need the following: * working DNS * clocks in sync * correct certnames To help solve SSL issues also use 'openssl s_client' to test connections, check certnames and other errors. This is a definitive reference on puppet and SSL. http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ There is a newer doc than this on puppet docs site but can't find it at the moment: http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security Den On 21/08/2011, at 5:53, Brian Troutwine <[email protected]> wrote: > On Sat, Aug 20, 2011 at 2:47 PM, Brian Troutwine <[email protected]> wrote: > On Sat, Aug 20, 2011 at 12:18 PM, Brian Troutwine <[email protected]> wrote: > On Sat, Aug 20, 2011 at 10:04 AM, Laurence Southon > <[email protected]> wrote: > On 20/08/11 01:13, Brian Troutwine wrote: > > How do I actually revoke a faulty certificate? > > You can remove the client certificate entirely with: > > puppetca --clean apt.example.com > > I overlooked that entirely. Thank you. > > This does look like the flag I was looking for, however: > > # puppet cert --clean apt.example.com > notice: Revoked certificate with serial # Inventory of signed certificates > # SERIAL NOT_BEFORE NOT_AFTER SUBJECT > 0x0001 2011-08-19T18:20:48GMT 2016-08-17T18:20:48GMT /CN=Puppet CA: > puppet.example.com > 0x0002 2011-08-19T18:20:48GMT 2016-08-17T18:20:48GMT /CN=puppet.example.com > 0x0003 2011-08-19T18:21:46GMT 2016-08-17T18:21:46GMT /CN=gateway.example.com > > err: Could not call revoke: Cannot convert into OpenSSL::BN > > and on apt.example.com: > > # puppet agent --test --noop > info: Creating a new SSL key for apt.example.com > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > info: Creating a new SSL certificate request for apt.example.com > info: Certificate Request fingerprint (md5): > FB:05:0D:41:C8:46:3C:44:EE:AC:9D:48:4E:4A:CC:FB > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > info: Caching certificate for apt.example.com > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > Similarly, > > # puppet cert --list --all > + apt.example.com (4C:FB:40:5B:9F:0F:CB:8B:78:57:78:D2:34:3F:8F:9B) > + puppet.example.com (C5:37:33:6A:1D:AB:60:55:61:05:55:05:03:56:35:45) > # puppet cert --clean apt.example.com > notice: Revoked certificate with serial 3 > notice: Removing file Puppet::SSL::Certificate apt.example.com at > '/var/lib/puppet/ssl/ca/signed/apt.example.com.pem' > notice: Removing file Puppet::SSL::Certificate apt.example.com at > '/var/lib/puppet/ssl/certs/apt.example.com.pem' > > but then, > > # puppet agent --test --noop > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > Mind you, apt is a virgin computer each time. Things that the error message > don't tell me: > > * Which certificate failed, > * why it failed in the context of puppet (not raw ssl jargon) and > * what I should do to remedy the problem. > > A new one will then be generated next time you connect. > > LS > -- > Laurence Southon > Tiger Computing, Bexley > www.tiger-computing.co.uk > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > > -- > Brian L. Troutwine > > > > > -- > Brian L. Troutwine > > > > > -- > Brian L. Troutwine > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
