Hello everyone,
Centos 7.1, puppet 3.6.2.
The agent can't request a certificate signing because the SSL connection to
the master doesn't work "Warning: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [self
signed certificate in certificate chain"
Initially, I could verify that underlying openssl will return a connection
error using both "openssl s_client -connect host:8140 "and a simple ruby
program where I "http.start { http.request(req) } " and then check for SSL
errors.
But then using the -showcerts option in the openssl command above I could
see and copy the master's cert into
/etc/pki/ca-trust/source/anchors/host.pem after which I run
update-ca-trust. Predictably enough both the openssl s_client and my ruby
test would then connect OK to the master on port 8140; yet agent -t keeps
returning an error.
I've searched for all .pems on the instance:
/var/lib/puppet/ssl/certificate_requests/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/public_keys/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/private_keys/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/certs/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/certs/ca.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/source/anchors/host.pem
/etc/pki/tls/cert.pem
/usr/share/rubygems/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem
/usr/share/rubygems/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem
/usr/share/rubygems/rubygems/ssl_certs/GeoTrustGlobalCA.pem
/usr/share/rubygems/rubygems/ssl_certs/ca-bundle.pem
/usr/share/rubygems/rubygems/ssl_certs/host.pem
/usr/share/rubygems/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem
The "/usr/share/rubygems/rubygems/ssl_certs/ca-bundle.pem" is just a link
to "/etc/pki/tls/cert.pem" which in turn is controlled by update-ca-trus
but, just as an extra check, if I grep for the master's cert in
"/etc/pki/tls/cert.pem" I get a match. As you can see above, I've also
added host.pem (an exact copy of the master's cert) into
"/usr/share/rubygems/rubygems/ssl_certs/" but to no avail... it was a
desperate measure, I agree, if only because the said pem was anyway
included in "/etc/pki/tls/cert.pem" but I'm really running out of ideas. A
strace -e trace=file shows that the only .pem files read by "puppet agent
-t" are the ones from "/var/lib/puppet/ssl/" and the one from
"/etc/pki/tls/cert.pem". Since both openssl s_client and my test ruby work,
the whole thing should have worked... yet it doesn't; Any hints? :-|
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/30a5c338-d6a4-4f6d-a40c-0e0fc0149548%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
