On Monday, April 7, 2014 4:57:43 PM UTC-5, Charlie Baum wrote: > > I have 8 or 9 Windows 2012 servers with latest puppet client 3.4.3. Out > of those, 4 of them have experienced issues with the SSL cert. Here is > what my event log contains: (each line is a different entry in the event > log, all within about 1.5 seconds) > > > *Unable to fetch my node definition, but the agent run will continue:* > > > *SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: > sslv3 alert certificate revoked* > > > */File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate > additional resources using 'eval_generate': SSL_connect returned=1 errno=0 > state=SSLv3 read server session ticket A: sslv3 alert certificate revoked* > > > */File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: > SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: > sslv3 alert certificate revoked Could not retrieve file metadata for > puppet://autopuppet.sys.comcast.net/plugins > <http://autopuppet.sys.comcast.net/plugins>: SSL_connect returned=1 errno=0 > state=SSLv3 read server session ticket A: sslv3 alert certificate revoked* > > *Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate > revoked* > > This is very frustrating for a product I would like to put into > production. I have searched and found resolutions to this issue, but can't > find a discussion on the root cause. Is it a crappy Windows agent? > Bug/issue on the puppet master side? How can I avoid this from happening > all over my prod environment if I go that route? >
These errors are all reporting the same thing: that the agent's SSL certificate has been revoked. To the best of my knowledge -- and I have looked -- base Puppet contains no internal mechanism for automatically revoking certificates. Therefore, I am inclined to suspect that the certificates are being revoked by some external actor, either a person or an external automated process. If you are using PE, though, then "external" could mean "among the proprietary pieces of the overall product". With that said, there was another recent thread complaining about unexpected certificate revocations: https://groups.google.com/forum/#!searchin/puppet-users/certificate$20revoked/puppet-users/UYM3fouDGVE/zehQy4nW0dUJ. No cause was ever reported there, but perhaps it was related. The bottom line is that I don't think we can tell you at this point what the nature of the problem is. It is not a known flaw in Puppet, but that doesn't necessarily mean that Puppet is not responsible. My apologies for being unable to be more definitive. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1116c688-dcb2-4d87-b0d9-aa6e6f8e734b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
