I was having the same problem on a very similar setup. My fix was to put a 'hashed' link in the openssl certs directory to the CA certificate on the agent machine. So you if you haven't already copied your ca.pem or ca_crt.pem file to the agent host, that is your first step.
openssl version -d [will give you give you base openssl dir] openssl x509 -hash -noout -in /etc/puppet/ssl/certs/ca.pem [will give you CA cert hash...something like 520f3686] go into the openssl dir you received from above and create a 'hashed' link in the certs directory to your CA cert file. ls -al /etc/pki/tls/certs/520f3686.0 lrwxrwxrwx 1 root root 29 Jun 22 02:21 /etc/pki/tls/certs/520f3686.0 - > /etc/puppet/ssl/ca/ca_crt.pem Note that a ".0" is added the end of your hash when creating the link. On Jun 15, 12:32 pm, EduardR <edrozenb...@gmail.com> wrote: > Hello, > > Running latest Puppet 2.7rc4, Ruby 1.9.2 p180, slackware 13.37 64. > Default (webrick) setup, > no mongrel no apache. > > Running puppet master on the main puppet server works fine, no > problem. > Running puppet agent on the same machine works fine, no problem. > > Running puppet agent on a client server (separate machine) connecting > to master gives the following error: > "err: Could not request certificate: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed" > > I found this post that suggests the error could be related to ruby 1.9 > not finding a cert file to > use:http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/ > "The problem comes from the fact that the new Ruby 1.9 installation > doesn’t find the certification authority certificates (CA Certs) used > to verify the authenticity of secured web servers." > > However, I've had no luck despite trying to add SSL_CERT_FILE and > SSL_CERT_PATH env variables to default.rb and puppet agent command > line. If the cert file is the problem, is there some other way to get > puppet to pass the proper cert info to ruby (my system certs are in / > etc/ssl/certs) ? > > If I use Ruby 1.8.7, no problem. I'd prefer to use 1.9.x though, since > it comes with my distro and some other software uses 1.9. Also, if I > use ruby 1.8.7 to register my client, then upgrade everything to ruby > 1.9, the agent works (presumably because the certificate setup is > already complete). > > Thanks in advance, > --Ed -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
