On Sat, Aug 20, 2011 at 6:18 PM, Denmat <[email protected]> wrote: > Hi, > > Are you calling the puppet run with the '--server <puppetmaster>' > parameter? >
Default is 'puppet', no? In any event, using --server or not has no effect. > With SSL you basically need the following: > * working DNS > * clocks in sync > Done. > * correct certnames > Can you elaborate? > To help solve SSL issues also use 'openssl s_client' to test connections, > check certnames and other errors. > > This is a definitive reference on puppet and SSL. > http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ > > There is a newer doc than this on puppet docs site but can't find it at the > moment: > http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security > > The latter is all that turns up in a google search. Here's the fresh apt: # puppet agent --test --noop info: Creating a new SSL key for apt.example.com <http://apt.carepilot.com> warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session info: Caching certificate for apt.example.com <http://apt.carepilot.com> err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Exiting; failed to retrieve certificate and waitforcert is disabled Then on the puppet master: # puppet cert --clean apt.example.com <http://apt.carepilot.com> notice: Revoked certificate with serial 4 notice: Removing file Puppet::SSL::Certificate apt.example.com<http://apt.carepilot.com>at '/var/lib/puppet/ssl/ca/signed/apt.example.com.pem' notice: Removing file Puppet::SSL::Certificate apt.example.com<http://apt.carepilot.com>at '/var/lib/puppet/ssl/certs/apt.example.com.pem' back to apt: # puppet agent --test --noop err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Exiting; failed to retrieve certificate and waitforcert is disabled root@apt:~# openssl s_client -host puppet -port 8139 -cert /var/lib/puppet/ssl/certs/apt.example.com.pem -key /var/lib/puppet/ssl/private_keys/apt.example.com.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem error setting private key 732:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406: Doesn't really tell me much. Then I noticed that puppet master's running 2.7.1 while my apt client machine is on 2.6.2--part of the catalog is an update of the puppet client to Debian backport's latest. I ran that update manually and: # openssl s_client -host puppet -port 8139 -cert /var/lib/puppet/ssl/certs/apt.example.com.pem -key /var/lib/puppet/ssl/private_keys/apt.example.com.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem connect: Connection refused connect:errno=111 while # puppet agent --server puppet.example.com --test ran to completion, with no errors. That leaves me even more confused than before, frankly. It's possible I'm not using openssl s_client correctly, but I think there's sufficient evidence that the puppet master is listening and will push down catalogs. > Den > > On 21/08/2011, at 5:53, Brian Troutwine <[email protected]> wrote: > > On Sat, Aug 20, 2011 at 2:47 PM, Brian Troutwine < <[email protected]> > [email protected]> wrote: > >> On Sat, Aug 20, 2011 at 12:18 PM, Brian Troutwine < <[email protected]> >> [email protected]> wrote: >> >>> On Sat, Aug 20, 2011 at 10:04 AM, Laurence Southon >>> <<[email protected]> >>> [email protected]> wrote: >>> >>>> On 20/08/11 01:13, Brian Troutwine wrote: >>>> > How do I actually revoke a faulty certificate? >>>> >>>> You can remove the client certificate entirely with: >>>> >>>> puppetca --clean <http://apt.example.com>apt.example.com >>> >>> >>> I overlooked that entirely. Thank you. >>> >> >> This does look like the flag I was looking for, however: >> >> # puppet cert --clean <http://apt.example.com>apt.example.com >> notice: Revoked certificate with serial # Inventory of signed certificates >> # SERIAL NOT_BEFORE NOT_AFTER SUBJECT >> 0x0001 2011-08-19T18:20:48GMT 2016-08-17T18:20:48GMT /CN=Puppet CA: >> <http://puppet.example.com>puppet.example.com >> 0x0002 2011-08-19T18:20:48GMT 2016-08-17T18:20:48GMT >> /CN=<http://puppet.example.com> >> puppet.example.com >> 0x0003 2011-08-19T18:21:46GMT 2016-08-17T18:21:46GMT >> /CN=<http://gateway.example.com> >> gateway.example.com >> >> err: Could not call revoke: Cannot convert into OpenSSL::BN >> >> >> and on <http://apt.example.com>apt.example.com: >> >> # puppet agent --test --noop >> info: Creating a new SSL key for <http://apt.example.com>apt.example.com >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> info: Creating a new SSL certificate request for <http://apt.example.com> >> apt.example.com >> info: Certificate Request fingerprint (md5): >> FB:05:0D:41:C8:46:3C:44:EE:AC:9D:48:4E:4A:CC:FB >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> info: Caching certificate for <http://apt.example.com>apt.example.com >> err: Could not retrieve catalog from remote server: SSL_connect returned=1 >> errno=0 state=SSLv3 read server certificate B: certificate verify failed >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> > Similarly, > > # puppet cert --list --all > + > <http://apt.example.com>apt.example.com(4C:FB:40:5B:9F:0F:CB:8B:78:57:78:D2:34:3F:8F:9B) > + > <http://puppet.example.com>puppet.example.com(C5:37:33:6A:1D:AB:60:55:61:05:55:05:03:56:35:45) > # puppet cert --clean <http://apt.example.com>apt.example.com > notice: Revoked certificate with serial 3 > notice: Removing file Puppet::SSL::Certificate <http://apt.example.com> > apt.example.com at '/var/lib/puppet/ssl/ca/signed/apt.example.com.pem' > notice: Removing file Puppet::SSL::Certificate <http://apt.example.com> > apt.example.com at '/var/lib/puppet/ssl/certs/apt.example.com.pem' > > > but then, > > # puppet agent --test --noop > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > > Mind you, apt is a virgin computer each time. Things that the error message > don't tell me: > > * Which certificate failed, > * why it failed in the context of puppet (not raw ssl jargon) and > * what I should do to remedy the problem. > > >> A new one will then be generated next time you connect. >>>> >>>> LS >>>> -- >>>> Laurence Southon >>>> Tiger Computing, Bexley >>>> <http://www.tiger-computing.co.uk>www.tiger-computing.co.uk >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Puppet Users" group. >>>> To post to this group, send email to <[email protected]> >>>> [email protected]. >>>> To unsubscribe from this group, send email to >>>> <puppet-users%[email protected]> >>>> [email protected]. >>>> For more options, visit this group at >>>> <http://groups.google.com/group/puppet-users?hl=en> >>>> http://groups.google.com/group/puppet-users?hl=en. >>>> >>>> >>> >>> >>> -- >>> Brian L. Troutwine >>> >>> >> >> >> -- >> Brian L. Troutwine >> >> > > > -- > Brian L. Troutwine > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Brian L. Troutwine -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
