Jo, I hope that you are right, because probably time or naming problems are solvable, unlike problems with ssl lib... Let's assume it is a timing problem: I syncronized date and hwclock on agent manually, obtaining an offset of 2 seconds with master. Is it too much? Shall I set up an NTP service on master? Otherwise, if the problem is related with naming, what kind of checks should I perform?
thanks a lot in advance Il giorno lunedì 11 febbraio 2013 22:51:34 UTC+1, Jo ha scritto: > > Sounds like your puppet master isn't signing the cert with the name that > the agent is connecting with? > > All cert problems are either time sync or certificate name issues. So it's > one of those two. > > On Feb 11, 2013, at 9:35 AM, Luigi Martin Petrella wrote: > > I have a puppet master on Centos 6.3 connected and working properly with > other Centos 6.3 agent. I installed puppet agent via gems on a RED HAT 4 > node. This is what happens when I try to sign certificate for the new node: > > AGENT > > [root@FP2 ~]$ puppet agent -t Info: Creating a new SSL key for fp2 Info: > Caching certificate for ca Info: Creating a new SSL certificate request for > fp2 Info: Certificate Request fingerprint (SHA1): > 35:51:A0:12:CF:2E:F7:73:22:C3:5E:51:DC:03:AF:4C:FC:54:5C:10 Exiting; no > certificate found and waitforcert is disabled > > MASTER > > [root@puppet centos]# puppet cert list "fp2" (SHA1) > 35:51:A0:12:CF:2E:F7:73:22:C3:5E:51:DC:03:AF:4C:FC:54:5C:10 [root@puppet > centos]# puppet cert sign fp2 Notice: Signed certificate request for fp2 > Notice: Removing file Puppet::SSL::CertificateRequest fp2 at > '/var/lib/puppet/ssl/ca/requests/fp2.pem' > > AGENT > > [root@FP2 ~]$ puppet agent -t Info: Caching certificate for fp2 Warning: > Unable to fetch my node definition, but the agent run will continue: > Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate > B: certificate verify failed: [certificate signature failure for /CN=Puppet > CA: master] Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: > Failed to generate additional resources using 'eval_generate: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN=Puppet CA: master] > Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN=Puppet CA: master] > Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN=Puppet CA: master] > Error: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN=Puppet CA: master] > Warning: Not using cache on failed catalog Error: Could not retrieve > catalog; skipping run Error: Could not send report: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed: > [certificate signature failure for /CN=Puppet CA: master] > > I tryied several times to clear certificare on master and agent but I have > always the same result. To help to understand and debug the issue, here are > some other informations: > > – clocks are syncronized on server and agent > > -I installed puppet agent on Red Hat 4 node using the following procedure: > > Install ruby > > a. wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz > > b. tar -xzvf ruby-1.8.7.tar.gz > > c. cd ruby-1.8.7 > > d. ./configure > > e. make > > f. make install > > Install rubygems > > a. wget http://rubyforge.org/frs/download.php/70696/rubygems-1.3.7.tgz > > b. tar xvzf rubygem*.tgz > * > > *c. cd rubygem* > > d. ruby setup.rb > > Install library openssl-devel (needed to instal openssl support for ruby, > otherwise nothing works) > > a. wget > ftp://ftp.pbone.net/mirror/ftp.wesmo.com/pub/redhat/i386/openssl-devel-0.9.7-1.i386.rpm > > > b. rpm –i openssl-devel-0.9.7-1.i386.rpm (Note: 0.9.7 is the most updated > version of openssl library that can be installed on red hat 4) > > Install openssl support for ruby > > a. cd /${ruby_src}/ext/openssl > > b. ruby extconf.rb > > c. make > > d. make install > > a. Gem install puppet > > - puppet.conf is the same on working and non-working agent > > I’m afraid this problem is related to openssl… rpm -qa | grep openssl: > > On Centos (master and working nodes) > > openssl-devel-1.0.0-25.el6_3.1.i686 openssl-1.0.0-25.el6_3.1.i686 > > on Red Hat 4 agent: > > openssl-0.9.7a-43.17.el4_6.1 openssl-devel-0.9.7-1 > > Hope someone could help.. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users...@googlegroups.com <javascript:>. > To post to this group, send email to puppet...@googlegroups.com<javascript:> > . > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > Jo Rhett > Net Consonance : net philanthropy to improve open source and internet > projects. > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
