@Aaron, good evening from the east coast of the USA. It looks like the first break in the chain is on ServerB, if that was not also obvious to you. To be clear, I have not worked with puppet since version 4, and in my current professional role we don't use Puppet at all (makes me sad actually).
Anyway, I think you need to find The certificate for ServerB and confirm the details about it's PEM file. Use *openssl x509 -noout -text **ServerB.pem* (the server's PEM file is a placeholder) Can you provide a list of fullpath/file.pem's back to me? *This is not a production system correct?* -------------------------- Warron French On Thu, May 6, 2021 at 7:29 PM Aaron Nicoli <aaronnic...@gmail.com> wrote: > G'day Warron, > > So, doing some ca/ssl info gathering (note puppet cert not being a thing > anymore on 7x that I'm running): > > On server-A (CA & master 1): > puppetserver ca list --all > server-A (alt names: DNS:puppet, DNS:server-A) > server-B (alt names: DNS:server-B) > server-C (alt names: DNS:server-C) > > puppet ssl show > ``` > ... > Issuer: CN=Puppet CA: server-A > ... > Subject: CN=server-A > ... > ``` > > On server-B (master 2): > puppetserver ca list --all > ``` > Error: Failed connecting to > https://server-A:8140/puppet-ca/v1/certificate_statuses/any_key > Root cause: SSL_connect returned=1 errno=0 state=error: certificate > verify failed (unable to get certificate CRL) > ``` > > puppet ssl show > ``` > Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing > ``` > > I also note that today, puppet agent -t, is now also failing with: > ``` > Error: The CRL issued by 'CN=Puppet CA: server-A' is missing > Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing > ``` > > On server-C (agent): > puppet ssl show: > ``` > ... > Issuer: CN=Puppet CA:server-A > ... > Subject: CN=server-B > ... > ``` > > Hope this helps my case! > On Friday, 7 May 2021 at 8:42:46 am UTC+10 warron...@gmail.com wrote: > >> This, if I remember correctly, looks like a certificate chain issue. >> Your Puppet Architecture is a "Master of Masters" architecture. >> >> Cert for Server B is signed by Cert for Server A? Correct? >> Is the cert for Server C (the agent) signed by the CA certificate chain? >> >> Try executing: *puppet cert list* and confirm that all certificates for >> all three servers are listed. >> >> -------------------------- >> Warron French >> >> >> >> On Thu, May 6, 2021 at 5:52 PM Aaron Nicoli <aaron...@gmail.com> wrote: >> >>> Hi all, >>> >>> I have the following puppet layout: >>> ``` >>> Server A - Puppetserver (CA) >>> Server B - Puppetserver >>> Server C - Agent >>> ``` >>> >>> With the agent (server C) having it's cert signed by the CA (server A) >>> however pointed to (server B) as it's master. >>> >>> The issue I'm having is that when running `puppet agent -t` on the >>> agent, I can create a request to the CA and have the CA sign it, but then >>> when I go to run again: >>> >>> ``` >>> Error: Connection to >>> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed, trying >>> next route: Request to >>> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed after >>> 0.094 seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert >>> certificate unknown >>> ``` >>> >>> Now on the agent, I can see that the Server-B cert is signed by the CA >>> Server-A and it's available on the agent (server C) under: >>> `/etc/puppetlabs/puppet/ssl/certs/ca.pem` >>> >>> But yet - I still get the error... where is the puppet agent trying to >>> find the `ca.pem` cert to verify the masters certificate?!? >>> >>> Any ideas? >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to puppet-users...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com >>> <https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/803a0f0a-01c9-4001-9bb6-c8d8a26c783an%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/803a0f0a-01c9-4001-9bb6-c8d8a26c783an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJdJdQ%3Dsb3vELHuy_bDBAnkTYNO2y0uU4y%3D8NntPLtELyGc5ww%40mail.gmail.com.
