Hello list!! I am a new puppet user and I am having trouble getting the server to verify the client cert. I know this has been covered before but I have tried several things and no luck as of yet. If I run a puppet test --waitfor cert in the client this is what I get. [root@VIRTCENT10:~] #puppetd --test --waitforcert 15 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session info: Caching certificate for virtcent10.summitnjhome.com err: Could not retrieve catalog from remote server: hostname not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I found a useful link on this problem here: http://www.mailinglistarchive.com/html/puppet-users@googlegroups.com/2010-04/msg00670.html and I thought that the problem may have been that I did not specify the fqdn of the server on the puppetd --test command I had used. So I rm''d the puppet directory in /var/lib and the config directory in /etc and then reinstalled the puppet client. Then I ran puppecta --clean virtcent10.summitnjhome.com on the server. At that point I ran the command again specifying the fqdn of the server. [root@VIRTCENT10:~] #puppetd --test virtcent13.summitnjhome.com --waitforcert 15 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session info: Caching certificate for virtcent10.summitnjhome.com err: Could not retrieve catalog from remote server: hostname not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I''m enclosing more verbose output of puppet test in a hope that a solution to this problem can be found. Thanks in advance! -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Also localtime on both boxes seem to be in lockstep and have a cron job that runs ntpdate once a day. [root@virtcent13:/var/lib/puppet/ssl/certs] #date Sat Feb 5 23:24:46 EST 2011 [root@virtcent10:~] #date Sat Feb 5 23:24:45 EST 2011 (the one second difference was me switching terminals and typing the command) :) On Sat, Feb 5, 2011 at 10:54 PM, Tim Dunphy <bluethundr@gmail.com> wrote:> Hello list!! > > I am a new puppet user and I am having trouble getting the server to > verify the client cert. I know this has been covered before but I have > tried several things and no luck as of yet. > > If I run a puppet test --waitfor cert in the client this is what I get. > > [root@VIRTCENT10:~] #puppetd --test --waitforcert 15 > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for virtcent10.summitnjhome.com > err: Could not retrieve catalog from remote server: hostname not match > with the server certificate > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > > I found a useful link on this problem here: > > http://www.mailinglistarchive.com/html/puppet-users@googlegroups.com/2010-04/msg00670.html > > and I thought that the problem may have been that I did not specify > the fqdn of the server on the puppetd --test command I had used. So I > rm''d the puppet directory in /var/lib and the config directory in /etc > and then reinstalled the puppet client. Then I ran puppecta --clean > virtcent10.summitnjhome.com on the server. > > At that point I ran the command again specifying the fqdn of the server. > > [root@VIRTCENT10:~] #puppetd --test virtcent13.summitnjhome.com --waitforcert 15 > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for virtcent10.summitnjhome.com > err: Could not retrieve catalog from remote server: hostname not match > with the server certificate > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > I''m enclosing more verbose output of puppet test in a hope that a > solution to this problem can be found. > > Thanks in advance! > > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >-- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Did you really run this command or was it a typo?> root@VIRTCENT10:~] #puppetd --testvirtcent13.summitnjhome.com --waitforcert 15Try puppetd --test --server virtcent13....--waitforcert You can look down the bottom of here for some ssl debug tips. http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ If all else fails, make sure your dns is working, remove your ssl directories from server and client and try again. You can of course change the ssl options in puppet.conf, like certname, if you really get stuck. Cheers, Den On 06/02/2011, at 15:26, Tim Dunphy <bluethundr@gmail.com> wrote:> root@VIRTCENT10:~] #puppetd --test virtcent13.summitnjhome.com --waitforcert 15-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sat, Feb 5, 2011 at 7:54 PM, Tim Dunphy <bluethundr@gmail.com> wrote:> Hello list!! > > I am a new puppet user and I am having trouble getting the server to > verify the client cert. I know this has been covered before but I have > tried several things and no luck as of yet.This probably isn''t your problem, but I want to post an experience I had with getting the certificates to validate. We inadvertently removed /var/lib/puppet/ssl on the puppetmaster and needed to recertify all of the clients against the new CA the puppetmaster created. The clients would sort of half validate, but still had cert errors. I checked their clocks, I removed the ssl directory on the client, I removed all the files in /var/lib/puppet -- nothing worked. Finally I remembered our puppetmaster is front-ended by nginx -- and it also uses the puppet ssl keys -- and I hadn''t restarted it since changing the puppetmaster''s keys, etc. Once I restarted it, everything worked again. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hey Guys!! Thanks for your input! Well it turns out there were some weird things going on with the dns server. Once I addressed those and rm''d the ssl directories (server and client side) and restarted the process everything works!!! [root@VIRTCENT04:~] #puppetd --test virtcent13.summitnjhome.com --waitforcert 15warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session info: Caching certificate for virtcent04.summitnjhome.com info: Caching certificate_revocation_list for ca info: Caching catalog for virtcent04.summitnjhome.com info: Applying configuration version ''1297007418'' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.04 seconds HUZZAH!!! Onto the task of creating my puppet config! :-) On Sun, Feb 6, 2011 at 10:25 AM, Rich Rauenzahn <rrauenza@gmail.com> wrote:> On Sat, Feb 5, 2011 at 7:54 PM, Tim Dunphy <bluethundr@gmail.com> wrote: >> Hello list!! >> >> I am a new puppet user and I am having trouble getting the server to >> verify the client cert. I know this has been covered before but I have >> tried several things and no luck as of yet. > > This probably isn''t your problem, but I want to post an experience I > had with getting the certificates to validate. > > We inadvertently removed /var/lib/puppet/ssl on the puppetmaster and > needed to recertify all of the clients against the new CA the > puppetmaster created. The clients would sort of half validate, but > still had cert errors. I checked their clocks, I removed the ssl > directory on the client, I removed all the files in /var/lib/puppet -- > nothing worked. > > Finally I remembered our puppetmaster is front-ended by nginx -- and > it also uses the puppet ssl keys -- and I hadn''t restarted it since > changing the puppetmaster''s keys, etc. > > Once I restarted it, everything worked again. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.