from:"Aaron Nicoli"

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

2021-05-06 Thread Aaron Nicoli

So, this is the best I can do:

Ok, here we go, how to configure an "in the middle" puppetmaster.

Eg.
```
Puppetmaster (CA) - server-A
  Puppetmaster & Agent (to server-A) - server B
Agent (to server-B) - server-C
```

On server-B:
`service puppet stop`
`service puppetserver stop`

`vi /etc/puppetlabs/puppet/ssl/crls.pem` - new file:
```
-BEGIN X509 CRL-
Content from /etc/puppetlabs/puppet/ssl/crl.pem - on server-b
-END X509 CRL-
-BEGIN X509 CRL-
Content from /etc/puppetlabs/puppetserver/ca/ca_crl.pem - on server-a
-END X509 CRL-
```

`vi /etc/puppetlabs/puppet/ssl/certs/ca_bundle.pem` - new file:
```
-BEGIN CERTIFICATE-
Content from /etc/puppetlabs/puppet/ssl/certs/ca.pem - on server-b
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Content from /etc/puppetlabs/puppetserver/ca/ca_crt.pem - on server-a
-END CERTIFICATE-
-BEGIN PUBLIC KEY-
Content from /etc/puppetlabs/puppetserver/ca/ca_pub.pem - on server-a
-END PUBLIC KEY-
```

`cp /etc/puppetlabs/puppet/ssl/certs/server-b.pem 
/etc/puppetlabs/puppet/ssl/public_keys/server-b.pem`

```
Note. not sure if that last cp is right, and not sure if you also need to 
copy:
/etc/puppetlabs/puppetserver/ca/ca_key.pem - from server-a
to
/etc/puppetlabs/puppet/ssl/private_keys/server-a.pem - on server-b
```

Then run:
`mv /etc/puppetlabs/puppet/ssl/certs/ca.pem 
/etc/puppetlabs/puppet/ssl/certs/ca.pem.bak`
`mv /etc/puppetlabs/puppet/ssl/crl.pem 
/etc/puppetlabs/puppet/ssl/crl.pem.bak`
`mv /etc/puppetlabs/puppet/ssl/certs/server-b.pem 
/etc/puppetlabs/puppet/ssl/certs/server-b.pem.bak`

And then the import:
```
puppetserver ca import --config /etc/puppetlabs/puppet/puppet.conf 
--private-key /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem 
--crl-chain /etc/puppetlabs/puppet/ssl/crls.pem --cert-bundle 
/etc/puppetlabs/puppet/ssl/certs/ca_bundle.pem
```

Then copy back the originals:
`mv /etc/puppetlabs/puppet/ssl/certs/ca.pem.bak 
/etc/puppetlabs/puppet/ssl/certs/ca.pem`
`mv /etc/puppetlabs/puppet/ssl/crl.pem.bak 
/etc/puppetlabs/puppet/ssl/crl.pem`
`mv /etc/puppetlabs/puppet/ssl/certs/server-b.pem.bak 
/etc/puppetlabs/puppet/ssl/certs/server-b.pem`

You should then be able to successfully run:
`puppet agent -t`

You can then start the puppetserver:
`service puppetserver start`

And should be able to again run:
`puppet agent -t`

You "sub"-agents (eg. server-c) should now "just work" - provided they are 
signed against the ca of server-a...
Regardless, just run from server-c:
`puppet agent -t`

On Friday, 7 May 2021 at 11:12:02 am UTC+10 Aaron Nicoli wrote:

> OMG I got it working...
>
> I don't even really know how yet, but I'll reverse engineer what I did and 
> advise back here.
>
> On Friday, 7 May 2021 at 10:43:29 am UTC+10 Aaron Nicoli wrote:
>
>> So, I'm thinking this is the issue I'm running into, but still not sure 
>> how to resolve it:
>>
>> https://www.atcomputing.nl/blog/certificate-authority-and-puppet-6/
>>
>> Need to run puppetserver ca import - before starting the puppetserver.
>>
>> However, it seems `--private-key` `--crl-chain` and `--cert-bundle` are 
>> mandatory.
>>
>> What should I use for what?
>> ```
>> /etc/puppetlabs/puppet/ssl/certs/server-b.pem
>> /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem
>> /etc/puppetlabs/puppet/ssl/crl.pem
>> ```
>>
>> I've tried:
>> ```
>> puppetserver ca import --config /etc/puppetlabs/puppet/puppet.conf 
>> --private-key /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem 
>> --crl-chain /etc/puppetlabs/puppet/ssl/crl.pem --cert-bundle 
>> /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> ```
>>
>> But, it gives me the error of:
>> ```
>> Error:
>> Could not find certificate matching private key
>> ```
>>
>>
>> On Friday, 7 May 2021 at 10:09:50 am UTC+10 Aaron Nicoli wrote:
>>
>>> Cheers Warron,
>>>
>>> It was pretty obvious something on B is broken, but what who knows...
>>>
>>> I've just deleted everything related to B and C (A is prod, B and C are 
>>> new dev) [rm -rf /etc/puppetlabs/puppet/ssl; rm -rf 
>>> /etc/puppetlabs/puppetserver/ca; puppetserver ca clean x].
>>>
>>> After doing this, will both puppet and puppetserver services stopped on 
>>> B, I've ran puppet agent -t...
>>> Then signed the request on server-A
>>>
>>> Everything working on B (as an agent)...
>>>
>>> Then again everything stopped and deleted on C (agent)...
>>> puppet agent -t, signed on A...
>>>
>>> Can't connect to the puppetmaster (server-B), because I haven't started 
>>> t

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

2021-05-06 Thread Aaron Nicoli

OMG I got it working...

I don't even really know how yet, but I'll reverse engineer what I did and 
advise back here.

On Friday, 7 May 2021 at 10:43:29 am UTC+10 Aaron Nicoli wrote:

> So, I'm thinking this is the issue I'm running into, but still not sure 
> how to resolve it:
>
> https://www.atcomputing.nl/blog/certificate-authority-and-puppet-6/
>
> Need to run puppetserver ca import - before starting the puppetserver.
>
> However, it seems `--private-key` `--crl-chain` and `--cert-bundle` are 
> mandatory.
>
> What should I use for what?
> ```
> /etc/puppetlabs/puppet/ssl/certs/server-b.pem
> /etc/puppetlabs/puppet/ssl/certs/ca.pem
> /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem
> /etc/puppetlabs/puppet/ssl/crl.pem
> ```
>
> I've tried:
> ```
> puppetserver ca import --config /etc/puppetlabs/puppet/puppet.conf 
> --private-key /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem 
> --crl-chain /etc/puppetlabs/puppet/ssl/crl.pem --cert-bundle 
> /etc/puppetlabs/puppet/ssl/certs/ca.pem
> ```
>
> But, it gives me the error of:
> ```
> Error:
> Could not find certificate matching private key
> ```
>
>
> On Friday, 7 May 2021 at 10:09:50 am UTC+10 Aaron Nicoli wrote:
>
>> Cheers Warron,
>>
>> It was pretty obvious something on B is broken, but what who knows...
>>
>> I've just deleted everything related to B and C (A is prod, B and C are 
>> new dev) [rm -rf /etc/puppetlabs/puppet/ssl; rm -rf 
>> /etc/puppetlabs/puppetserver/ca; puppetserver ca clean x].
>>
>> After doing this, will both puppet and puppetserver services stopped on 
>> B, I've ran puppet agent -t...
>> Then signed the request on server-A
>>
>> Everything working on B (as an agent)...
>>
>> Then again everything stopped and deleted on C (agent)...
>> puppet agent -t, signed on A...
>>
>> Can't connect to the puppetmaster (server-B), because I haven't started 
>> the service, but other than that everything perfect.
>>
>> Start the puppetserver service on server-B... and then run puppet agent 
>> -t on server-C again...
>> ```
>> Error: Connection to https://server-B:8140/puppet/v3 failed, trying next 
>> route: Request to https://server-B:8140/puppet/v3 failed after 0.103 
>> seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert 
>> certificate unknown
>> Wrapped exception:
>> SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate 
>> unknown
>> ```
>>
>> Pretty much back to where we started...
>>
>> Then I go back to server-B and run puppet agent -t... broken:
>> ```
>> Error: The CRL issued by 'CN=Puppet CA: server-A' is missing
>> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is 
>> missing
>> ```
>>
>> From what I can tell, the puppetserver service (upon startup on server-B) 
>> is "blatting" the correct certs on server-B...
>>
>> That's the best conclusion I can come to at this point.
>> On Friday, 7 May 2021 at 9:50:24 am UTC+10 warron...@gmail.com wrote:
>>
>>> @Aaron, good evening from the east coast of the USA.
>>>
>>> It looks like the first break in the chain is on ServerB, if that was 
>>> not also obvious to you.  To be clear, I have not worked with puppet since 
>>> version 4, and in my current professional role we don't use Puppet at all 
>>> (makes me sad actually).
>>>
>>> Anyway, I think you need to find The certificate for ServerB and confirm 
>>> the details about it's PEM file.
>>> Use *openssl x509  -noout  -text **ServerB.pem*(the server's 
>>> PEM file is a placeholder)
>>>
>>> Can you provide a list of fullpath/file.pem's back to me?   *This is 
>>> not a production system correct?*
>>>
>>>
>>>
>>> --
>>> Warron French
>>>
>>>
>>>
>>> On Thu, May 6, 2021 at 7:29 PM Aaron Nicoli  wrote:
>>>
>>>> G'day Warron,
>>>>
>>>> So, doing some ca/ssl info gathering (note puppet cert not being a 
>>>> thing anymore on 7x that I'm running):
>>>>
>>>> On server-A (CA & master 1):
>>>> puppetserver ca list --all
>>>> server-A (alt names: DNS:puppet, DNS:server-A)
>>>> server-B (alt names: DNS:server-B)
>>>> server-C (alt names: DNS:server-C)
>>>>
>>>> puppet ssl show
>>>> ```
>>>> ...
>>>> Issuer: CN=Puppet CA: server-A
>>>> ...
>>>> Subject

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

2021-05-06 Thread Aaron Nicoli

So, I'm thinking this is the issue I'm running into, but still not sure how 
to resolve it:

https://www.atcomputing.nl/blog/certificate-authority-and-puppet-6/

Need to run puppetserver ca import - before starting the puppetserver.

However, it seems `--private-key` `--crl-chain` and `--cert-bundle` are 
mandatory.

What should I use for what?
```
/etc/puppetlabs/puppet/ssl/certs/server-b.pem
/etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/puppetlabs/puppet/ssl/private_keys/server-b.pem
/etc/puppetlabs/puppet/ssl/crl.pem
```

I've tried:
```
puppetserver ca import --config /etc/puppetlabs/puppet/puppet.conf 
--private-key /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem 
--crl-chain /etc/puppetlabs/puppet/ssl/crl.pem --cert-bundle 
/etc/puppetlabs/puppet/ssl/certs/ca.pem
```

But, it gives me the error of:
```
Error:
Could not find certificate matching private key
```


On Friday, 7 May 2021 at 10:09:50 am UTC+10 Aaron Nicoli wrote:

> Cheers Warron,
>
> It was pretty obvious something on B is broken, but what who knows...
>
> I've just deleted everything related to B and C (A is prod, B and C are 
> new dev) [rm -rf /etc/puppetlabs/puppet/ssl; rm -rf 
> /etc/puppetlabs/puppetserver/ca; puppetserver ca clean x].
>
> After doing this, will both puppet and puppetserver services stopped on B, 
> I've ran puppet agent -t...
> Then signed the request on server-A
>
> Everything working on B (as an agent)...
>
> Then again everything stopped and deleted on C (agent)...
> puppet agent -t, signed on A...
>
> Can't connect to the puppetmaster (server-B), because I haven't started 
> the service, but other than that everything perfect.
>
> Start the puppetserver service on server-B... and then run puppet agent -t 
> on server-C again...
> ```
> Error: Connection to https://server-B:8140/puppet/v3 failed, trying next 
> route: Request to https://server-B:8140/puppet/v3 failed after 0.103 
> seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert 
> certificate unknown
> Wrapped exception:
> SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate unknown
> ```
>
> Pretty much back to where we started...
>
> Then I go back to server-B and run puppet agent -t... broken:
> ```
> Error: The CRL issued by 'CN=Puppet CA: server-A' is missing
> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing
> ```
>
> From what I can tell, the puppetserver service (upon startup on server-B) 
> is "blatting" the correct certs on server-B...
>
> That's the best conclusion I can come to at this point.
> On Friday, 7 May 2021 at 9:50:24 am UTC+10 warron...@gmail.com wrote:
>
>> @Aaron, good evening from the east coast of the USA.
>>
>> It looks like the first break in the chain is on ServerB, if that was not 
>> also obvious to you.  To be clear, I have not worked with puppet since 
>> version 4, and in my current professional role we don't use Puppet at all 
>> (makes me sad actually).
>>
>> Anyway, I think you need to find The certificate for ServerB and confirm 
>> the details about it's PEM file.
>> Use *openssl x509  -noout  -text **ServerB.pem*(the server's PEM 
>> file is a placeholder)
>>
>> Can you provide a list of fullpath/file.pem's back to me?   *This is not 
>> a production system correct?*
>>
>>
>>
>> --
>> Warron French
>>
>>
>>
>> On Thu, May 6, 2021 at 7:29 PM Aaron Nicoli  wrote:
>>
>>> G'day Warron,
>>>
>>> So, doing some ca/ssl info gathering (note puppet cert not being a thing 
>>> anymore on 7x that I'm running):
>>>
>>> On server-A (CA & master 1):
>>> puppetserver ca list --all
>>> server-A (alt names: DNS:puppet, DNS:server-A)
>>> server-B (alt names: DNS:server-B)
>>> server-C (alt names: DNS:server-C)
>>>
>>> puppet ssl show
>>> ```
>>> ...
>>> Issuer: CN=Puppet CA: server-A
>>> ...
>>> Subject: CN=server-A
>>> ...
>>> ```
>>>
>>> On server-B (master 2):
>>> puppetserver ca list --all
>>> ```
>>>Error: Failed connecting to 
>>> https://server-A:8140/puppet-ca/v1/certificate_statuses/any_key
>>>   Root cause: SSL_connect returned=1 errno=0 state=error: certificate 
>>> verify failed (unable to get certificate CRL)
>>> ```
>>>
>>> puppet ssl show
>>> ```
>>> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is 
>>> missing
>>> ```
>>>
>>> I also note that today, puppet agent -t, is now also failing with:
>>&g

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

2021-05-06 Thread Aaron Nicoli

Cheers Warron,

It was pretty obvious something on B is broken, but what who knows...

I've just deleted everything related to B and C (A is prod, B and C are new 
dev) [rm -rf /etc/puppetlabs/puppet/ssl; rm -rf 
/etc/puppetlabs/puppetserver/ca; puppetserver ca clean x].

After doing this, will both puppet and puppetserver services stopped on B, 
I've ran puppet agent -t...
Then signed the request on server-A

Everything working on B (as an agent)...

Then again everything stopped and deleted on C (agent)...
puppet agent -t, signed on A...

Can't connect to the puppetmaster (server-B), because I haven't started the 
service, but other than that everything perfect.

Start the puppetserver service on server-B... and then run puppet agent -t 
on server-C again...
```
Error: Connection to https://server-B:8140/puppet/v3 failed, trying next 
route: Request to https://server-B:8140/puppet/v3 failed after 0.103 
seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert 
certificate unknown
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate unknown
```

Pretty much back to where we started...

Then I go back to server-B and run puppet agent -t... broken:
```
Error: The CRL issued by 'CN=Puppet CA: server-A' is missing
Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing
```

>From what I can tell, the puppetserver service (upon startup on server-B) 
is "blatting" the correct certs on server-B...

That's the best conclusion I can come to at this point.
On Friday, 7 May 2021 at 9:50:24 am UTC+10 warron...@gmail.com wrote:

> @Aaron, good evening from the east coast of the USA.
>
> It looks like the first break in the chain is on ServerB, if that was not 
> also obvious to you.  To be clear, I have not worked with puppet since 
> version 4, and in my current professional role we don't use Puppet at all 
> (makes me sad actually).
>
> Anyway, I think you need to find The certificate for ServerB and confirm 
> the details about it's PEM file.
> Use *openssl x509  -noout  -text **ServerB.pem*(the server's PEM 
> file is a placeholder)
>
> Can you provide a list of fullpath/file.pem's back to me?   *This is not 
> a production system correct?*
>
>
>
> ------
> Warron French
>
>
>
> On Thu, May 6, 2021 at 7:29 PM Aaron Nicoli  wrote:
>
>> G'day Warron,
>>
>> So, doing some ca/ssl info gathering (note puppet cert not being a thing 
>> anymore on 7x that I'm running):
>>
>> On server-A (CA & master 1):
>> puppetserver ca list --all
>> server-A (alt names: DNS:puppet, DNS:server-A)
>> server-B (alt names: DNS:server-B)
>> server-C (alt names: DNS:server-C)
>>
>> puppet ssl show
>> ```
>> ...
>> Issuer: CN=Puppet CA: server-A
>> ...
>> Subject: CN=server-A
>> ...
>> ```
>>
>> On server-B (master 2):
>> puppetserver ca list --all
>> ```
>>Error: Failed connecting to 
>> https://server-A:8140/puppet-ca/v1/certificate_statuses/any_key
>>   Root cause: SSL_connect returned=1 errno=0 state=error: certificate 
>> verify failed (unable to get certificate CRL)
>> ```
>>
>> puppet ssl show
>> ```
>> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is 
>> missing
>> ```
>>
>> I also note that today, puppet agent -t, is now also failing with:
>> ```
>> Error: The CRL issued by 'CN=Puppet CA: server-A' is missing
>> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is 
>> missing
>> ```
>>
>> On server-C (agent):
>> puppet ssl show:
>> ```
>> ...
>> Issuer: CN=Puppet CA:server-A
>> ...
>> Subject: CN=server-B
>> ...
>> ```
>>
>> Hope this helps my case!
>> On Friday, 7 May 2021 at 8:42:46 am UTC+10 warron...@gmail.com wrote:
>>
>>> This, if I remember correctly, looks like a certificate chain issue.  
>>> Your Puppet Architecture is a "Master of Masters" architecture.
>>>
>>> Cert for Server B is signed by Cert for Server A?  Correct?
>>> Is the cert for Server C (the agent) signed by the CA certificate chain?
>>>
>>> Try executing:  *puppet cert list* and confirm that all certificates 
>>> for all three servers are listed.  
>>>
>>> --
>>> Warron French
>>>
>>>
>>>
>>> On Thu, May 6, 2021 at 5:52 PM Aaron Nicoli  wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have the following puppet layout:
>>>> ```
>>>> Server A - Puppetserver (CA)
>>>>   Server B - Puppetser

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

2021-05-06 Thread Aaron Nicoli

G'day Warron,

So, doing some ca/ssl info gathering (note puppet cert not being a thing 
anymore on 7x that I'm running):

On server-A (CA & master 1):
puppetserver ca list --all
server-A (alt names: DNS:puppet, DNS:server-A)
server-B (alt names: DNS:server-B)
server-C (alt names: DNS:server-C)

puppet ssl show
```
...
Issuer: CN=Puppet CA: server-A
...
Subject: CN=server-A
...
```

On server-B (master 2):
puppetserver ca list --all
```
   Error: Failed connecting to 
https://server-A:8140/puppet-ca/v1/certificate_statuses/any_key
  Root cause: SSL_connect returned=1 errno=0 state=error: certificate 
verify failed (unable to get certificate CRL)
```

puppet ssl show
```
Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing
```

I also note that today, puppet agent -t, is now also failing with:
```
Error: The CRL issued by 'CN=Puppet CA: server-A' is missing
Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing
```

On server-C (agent):
puppet ssl show:
```
...
Issuer: CN=Puppet CA:server-A
...
Subject: CN=server-B
...
```

Hope this helps my case!
On Friday, 7 May 2021 at 8:42:46 am UTC+10 warron...@gmail.com wrote:

> This, if I remember correctly, looks like a certificate chain issue.  Your 
> Puppet Architecture is a "Master of Masters" architecture.
>
> Cert for Server B is signed by Cert for Server A?  Correct?
> Is the cert for Server C (the agent) signed by the CA certificate chain?
>
> Try executing:  *puppet cert list* and confirm that all certificates for 
> all three servers are listed.  
>
> --
> Warron French
>
>
>
> On Thu, May 6, 2021 at 5:52 PM Aaron Nicoli  wrote:
>
>> Hi all,
>>
>> I have the following puppet layout:
>> ```
>> Server A - Puppetserver (CA)
>>   Server B - Puppetserver
>> Server C - Agent
>> ```
>>
>> With the agent (server C) having it's cert signed by the CA (server A) 
>> however pointed to (server B) as it's master.
>>
>> The issue I'm having is that when running `puppet agent -t` on the agent, 
>> I can create a request to the CA and have the CA sign it, but then when I 
>> go to run again:
>>
>> ```
>> Error: Connection to 
>> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed, trying 
>> next route: Request to 
>> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed after 
>> 0.094 seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert 
>> certificate unknown
>> ```
>>
>> Now on the agent, I can see that the Server-B cert is signed by the CA 
>> Server-A and it's available on the agent (server C) under: 
>> `/etc/puppetlabs/puppet/ssl/certs/ca.pem`
>>
>> But yet - I still get the error... where is the puppet agent trying to 
>> find the `ca.pem` cert to verify the masters certificate?!?
>>
>> Any ideas?
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/803a0f0a-01c9-4001-9bb6-c8d8a26c783an%40googlegroups.com.

[Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

2021-05-06 Thread Aaron Nicoli

Hi all,

I have the following puppet layout:
```
Server A - Puppetserver (CA)
  Server B - Puppetserver
Server C - Agent
```

With the agent (server C) having it's cert signed by the CA (server A) 
however pointed to (server B) as it's master.

The issue I'm having is that when running `puppet agent -t` on the agent, I 
can create a request to the CA and have the CA sign it, but then when I go 
to run again:

```
Error: Connection to 
https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed, trying 
next route: Request to 
https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed after 0.094 
seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert 
certificate unknown
```

Now on the agent, I can see that the Server-B cert is signed by the CA 
Server-A and it's available on the agent (server C) under: 
`/etc/puppetlabs/puppet/ssl/certs/ca.pem`

But yet - I still get the error... where is the puppet agent trying to find 
the `ca.pem` cert to verify the masters certificate?!?

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com.

[Puppet Users] Basic string manipulation in puppet

2012-02-16 Thread Aaron Nicoli

Hi all,

Been searching the net for a few hours now.
I have a basic operation I wish to perform but, cannot find examples
close enough to what I'm after to implement it myself.

This is what I want to do:

$version = '10.2.0'

I want to manipulate the string to make a new var ($cutversion), equal
just 102.

For example in perl (since I know it):

$version = '10.2.0';
if ($version =~ /^(\d+)\.(\d+).*$/) {
   $cutversion = $1 . $2;
}

Any help?

Thanks,
Aaron.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Basic string manipulation in puppet

2012-02-16 Thread Aaron Nicoli

Stefan,

Your the man, thanks for the help, exactly the kind of thing I am
after!

Cheers dude,

On Feb 17, 10:24 am, Stefan Schulte stefan.schu...@taunusstein.net
wrote:
 On Thu, Feb 16, 2012 at 02:50:27PM -0800, Aaron Nicoli wrote:
  Hi all,

  Been searching the net for a few hours now.
  I have a basic operation I wish to perform but, cannot find examples
  close enough to what I'm after to implement it myself.

  This is what I want to do:

  $version = '10.2.0'

  I want to manipulate the string to make a new var ($cutversion), equal
  just 102.

  For example in perl (since I know it):

  $version = '10.2.0';
  if ($version =~ /^(\d+)\.(\d+).*$/) {
     $cutversion = $1 . $2;
  }

  Any help?

 There are not that many string manipulating functions in puppet itself
 but you can always build your own [1] or have a look at the puppet-std
 [2]

 However your problem can be solved with the build-in function regsubst
 which can be found in the function reference [3]

 This should work (while untested)

     $cutversion = regsubst($version, '^(\d+)\.(\d+).*$', '\1\2')

 Does this help?

 -Stefan

 [1]http://docs.puppetlabs.com/guides/custom_functions.html
 [2]https://github.com/puppetlabs/puppetlabs-stdlib
 [3]http://docs.puppetlabs.com/references/2.7.9/function.html#regsubst

 -Stefan

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

Re: [Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

[Puppet Users] single CA with multiple masters - agent getting: sslv3 alert certificate unknown

[Puppet Users] Basic string manipulation in puppet

[Puppet Users] Re: Basic string manipulation in puppet

8 matches

Site Navigation

Mail list logo

Footer information