Hi, The standard port is 8140, are you using a different port?
You will need to pass --server on the puppet agent. The command line is different from the daemon config. With certnames, your --servername must match the DNS name of the master. So using openssl s_client --connect <puppetmaster:8140> you should see the certname in the response. If that is different from the dns name then you will have issues (which can be solved through the puppet.conf certname directive). Lastly it always good to run the same versions on client and server I find. So it's all running now? Den On 21/08/2011, at 9:04, Brian Troutwine <[email protected]> wrote: > On Sat, Aug 20, 2011 at 6:18 PM, Denmat <[email protected]> wrote: > Hi, > > Are you calling the puppet run with the '--server <puppetmaster>' parameter? > > Default is 'puppet', no? In any event, using --server or not has no effect. > > With SSL you basically need the following: > * working DNS > * clocks in sync > > Done. > > * correct certnames > > Can you elaborate? > > To help solve SSL issues also use 'openssl s_client' to test connections, > check certnames and other errors. > > This is a definitive reference on puppet and SSL. > http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ > > There is a newer doc than this on puppet docs site but can't find it at the > moment: > http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security > > > The latter is all that turns up in a google search. Here's the fresh apt: > > # puppet agent --test --noop > info: Creating a new SSL key for apt.example.com > warning: peer certificate won't be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won't be verified in this SSL session > info: Caching certificate for apt.example.com > err: Could not request certificate: Retrieved certificate does not match > private key; please remove certificate from server and regenerate it with the > current key > Exiting; failed to retrieve certificate and waitforcert is disabled > > Then on the puppet master: > > # puppet cert --clean apt.example.com > notice: Revoked certificate with serial 4 > notice: Removing file Puppet::SSL::Certificate apt.example.com at > '/var/lib/puppet/ssl/ca/signed/apt.example.com.pem' > notice: Removing file Puppet::SSL::Certificate apt.example.com at > '/var/lib/puppet/ssl/certs/apt.example.com.pem' > > back to apt: > > # puppet agent --test --noop > err: Could not request certificate: Retrieved certificate does not match > private key; please remove certificate from server and regenerate it with the > current key > Exiting; failed to retrieve certificate and waitforcert is disabled > root@apt:~# openssl s_client -host puppet -port 8139 -cert > /var/lib/puppet/ssl/certs/apt.example.com.pem -key > /var/lib/puppet/ssl/private_keys/apt.example.com.pem -CAfile > /var/lib/puppet/ssl/certs/ca.pem > error setting private key > 732:error:0B080074:x509 certificate routines:X509_check_private_key:key > values mismatch:x509_cmp.c:406: > > Doesn't really tell me much. Then I noticed that puppet master's running > 2.7.1 while my apt client machine is on 2.6.2--part of the catalog is an > update of the puppet client to Debian backport's latest. I ran that update > manually and: > > # openssl s_client -host puppet -port 8139 -cert > /var/lib/puppet/ssl/certs/apt.example.com.pem -key > /var/lib/puppet/ssl/private_keys/apt.example.com.pem -CAfile > /var/lib/puppet/ssl/certs/ca.pem > connect: Connection refused > connect:errno=111 > > while > > # puppet agent --server puppet.example.com --test > > ran to completion, with no errors. That leaves me even more confused than > before, frankly. It's possible I'm not using openssl s_client correctly, but > I think there's sufficient evidence that the puppet master is listening and > will push down catalogs. > > Den > > On 21/08/2011, at 5:53, Brian Troutwine <[email protected]> wrote: > >> On Sat, Aug 20, 2011 at 2:47 PM, Brian Troutwine <[email protected]> wrote: >> On Sat, Aug 20, 2011 at 12:18 PM, Brian Troutwine <[email protected]> wrote: >> On Sat, Aug 20, 2011 at 10:04 AM, Laurence Southon >> <[email protected]> wrote: >> On 20/08/11 01:13, Brian Troutwine wrote: >> > How do I actually revoke a faulty certificate? >> >> You can remove the client certificate entirely with: >> >> puppetca --clean apt.example.com >> >> I overlooked that entirely. Thank you. >> >> This does look like the flag I was looking for, however: >> >> # puppet cert --clean apt.example.com >> notice: Revoked certificate with serial # Inventory of signed certificates >> # SERIAL NOT_BEFORE NOT_AFTER SUBJECT >> 0x0001 2011-08-19T18:20:48GMT 2016-08-17T18:20:48GMT /CN=Puppet CA: >> puppet.example.com >> 0x0002 2011-08-19T18:20:48GMT 2016-08-17T18:20:48GMT /CN=puppet.example.com >> 0x0003 2011-08-19T18:21:46GMT 2016-08-17T18:21:46GMT /CN=gateway.example.com >> >> err: Could not call revoke: Cannot convert into OpenSSL::BN >> >> and on apt.example.com: >> >> # puppet agent --test --noop >> info: Creating a new SSL key for apt.example.com >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> info: Creating a new SSL certificate request for apt.example.com >> info: Certificate Request fingerprint (md5): >> FB:05:0D:41:C8:46:3C:44:EE:AC:9D:48:4E:4A:CC:FB >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> info: Caching certificate for apt.example.com >> err: Could not retrieve catalog from remote server: SSL_connect returned=1 >> errno=0 state=SSLv3 read server certificate B: certificate verify failed >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> Similarly, >> >> # puppet cert --list --all >> + apt.example.com (4C:FB:40:5B:9F:0F:CB:8B:78:57:78:D2:34:3F:8F:9B) >> + puppet.example.com (C5:37:33:6A:1D:AB:60:55:61:05:55:05:03:56:35:45) >> # puppet cert --clean apt.example.com >> notice: Revoked certificate with serial 3 >> notice: Removing file Puppet::SSL::Certificate apt.example.com at >> '/var/lib/puppet/ssl/ca/signed/apt.example.com.pem' >> notice: Removing file Puppet::SSL::Certificate apt.example.com at >> '/var/lib/puppet/ssl/certs/apt.example.com.pem' >> >> but then, >> >> # puppet agent --test --noop >> err: Could not retrieve catalog from remote server: SSL_connect returned=1 >> errno=0 state=SSLv3 read server certificate B: certificate verify failed >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> Mind you, apt is a virgin computer each time. Things that the error message >> don't tell me: >> >> * Which certificate failed, >> * why it failed in the context of puppet (not raw ssl jargon) and >> * what I should do to remedy the problem. >> >> A new one will then be generated next time you connect. >> >> LS >> -- >> Laurence Southon >> Tiger Computing, Bexley >> www.tiger-computing.co.uk >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> >> >> -- >> Brian L. Troutwine >> >> >> >> >> -- >> Brian L. Troutwine >> >> >> >> >> -- >> Brian L. Troutwine >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > Brian L. Troutwine > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
