Puppet users - Nov 2006 - certificate not trusted

Hello,

 I try to install puppet on freebsd 6.X. All is well but i cannot get 
the certificte to install and be recognized. I run .19.3.

I run the puppetd --test --waitforcert 60

then sign

and then i got:

err: No certificate; running with reduced functionality.
info: Creating a new SSL key at 
/usr/local/.aqadmin/puppet/conf/ssl/private_keys/xxxxxxxxxxxxxx.pem
info: Creating a new certificate request for xxxxxxxxxxxxxxxxx
info: Requesting certificate
warning: peer certificate won''t be verified in this SSL session
notice: Did not receive certificate
info: Requesting certificate
warning: peer certificate won''t be verified in this SSL session
info: Retrieving facts
err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
Could not describe /facts: Certificates were not trusted: certificate 
verify failed
notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: source 
puppet://xxxxxxxxxxxx/facts does not exist
err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
Could not describe /facts: Certificates were not trusted: certificate 
verify failed
notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could 
not retrieve information on /usr/local/.aqadmin/puppet/var/facts
err: Could not retrieve configuration: Certificates were not trusted: 
certificate verify failed
warning: Not using cache on failed configuration

on the server:

puppet:/# puppetca --list
No certificates to sign
puppet:/# puppetca --list
xxxxxxxxxxxxxxxxxxx
puppet:/# puppetca --sign xxxxxxxxxxxxxxxxxxx
Signed xxxxxxxxxxxxxxxxx
puppet:/#



With the debug on the client i got :

debug: getting config
info: Retrieving facts
debug: Calling fileserver.describe
err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
Could not describe /facts: Certificates were not trusted: certificate 
verify failed
notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: source 
puppet://yyyyyyyyyyyy/facts does not exist
debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 
Creating checksum {time}Thu Nov 02 13:51:05 +0000 2006
debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 
Changing source
debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 1 change(s)
debug: Calling fileserver.describe
err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
Could not describe /facts: Certificates were not trusted: certificate 
verify failed
notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could 
not retrieve information on /usr/local/.aqadmin/puppet/var/facts
debug: Finishing transaction 76675410 with 1 changes
debug: Calling puppetmaster.getconfig
err: Could not retrieve configuration: Certificates were not trusted: 
certificate verify failed
warning: Not using cache on failed configuration


allo01# openssl version
OpenSSL 0.9.7e-p1 25 Oct 2004
allo01# facter
domain => xxxxxx
facterversion => 1.3.5
fqdn => xxxxxxxxxxxxxxxxxx
hardwaremodel => i386
hostname => allo01
ipaddress => xx.Xx.xx.xx
kernel => FreeBSD
kernelrelease => 6.0-RELEASE
operatingsystem => FreeBSD
operatingsystemrelease => 6.0-RELEASE
ps => ps -auxwww
puppetversion => 0.19.3
rubysitedir => /usr/local/lib/ruby/site_ruby/1.8
rubyversion => 1.8.5




destroying all puppet files in the client and puppetca --clean  the host 
does not do anything i cannot make them to trust each  other. Any hints 
about something i missed here ?

 The method was ok for my 4.x hosts but it seems they fails on my 6.x 
machines

-- 
Cordialement,
Ghislain ADNET.
AQUEOS.

Attention !  Pour toute demande de support ou commande de domaine 
utilisez désormais:
http://support.aqueos.net.  

 
AQUEOS - Service Informatique
1, Rue Albert Einstein
Champs sur Marne
77447 Marne la vallée CEDEX2
  	
Service technique :  http://support.aqueos.net
Service commercial :  commercial@aqueos.com
Tel : 01.64.02.99.37,
Fax: 01.72.70.32.66
 




_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

Adnet Ghislain wrote:
> Hello,
> 
>  I try to install puppet on freebsd 6.X. All is well but i cannot get 
> the certificte to install and be recognized. I run .19.3.
> 
> I run the puppetd --test --waitforcert 60
> 
> then sign
> 
> and then i got:
> 
> err: No certificate; running with reduced functionality.
> info: Creating a new SSL key at 
> /usr/local/.aqadmin/puppet/conf/ssl/private_keys/xxxxxxxxxxxxxx.pem
> info: Creating a new certificate request for xxxxxxxxxxxxxxxxx
> info: Requesting certificate
> warning: peer certificate won''t be verified in this SSL session
> notice: Did not receive certificate
> info: Requesting certificate
> warning: peer certificate won''t be verified in this SSL session
> info: Retrieving facts
> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
> Could not describe /facts: Certificates were not trusted: certificate 
> verify failed
> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: source 
> puppet://xxxxxxxxxxxx/facts does not exist
> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
> Could not describe /facts: Certificates were not trusted: certificate 
> verify failed
> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could 
> not retrieve information on /usr/local/.aqadmin/puppet/var/facts
> err: Could not retrieve configuration: Certificates were not trusted: 
> certificate verify failed
> warning: Not using cache on failed configuration
> 
> on the server:
> 
> puppet:/# puppetca --list
> No certificates to sign
> puppet:/# puppetca --list
> xxxxxxxxxxxxxxxxxxx
> puppet:/# puppetca --sign xxxxxxxxxxxxxxxxxxx
> Signed xxxxxxxxxxxxxxxxx
> puppet:/#
> 
> 
> 
> With the debug on the client i got :
> 
> debug: getting config
> info: Retrieving facts
> debug: Calling fileserver.describe
> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
> Could not describe /facts: Certificates were not trusted: certificate 
> verify failed
> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: source 
> puppet://yyyyyyyyyyyy/facts does not exist
> debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 
> Creating checksum {time}Thu Nov 02 13:51:05 +0000 2006
> debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 
> Changing source
> debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 1
change(s)
> debug: Calling fileserver.describe
> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
> Could not describe /facts: Certificates were not trusted: certificate 
> verify failed
> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could 
> not retrieve information on /usr/local/.aqadmin/puppet/var/facts
> debug: Finishing transaction 76675410 with 1 changes
> debug: Calling puppetmaster.getconfig
> err: Could not retrieve configuration: Certificates were not trusted: 
> certificate verify failed
> warning: Not using cache on failed configuration
> 
> 
> allo01# openssl version
> OpenSSL 0.9.7e-p1 25 Oct 2004
> allo01# facter
> domain => xxxxxx
> facterversion => 1.3.5
> fqdn => xxxxxxxxxxxxxxxxxx
> hardwaremodel => i386
> hostname => allo01
> ipaddress => xx.Xx.xx.xx
> kernel => FreeBSD
> kernelrelease => 6.0-RELEASE
> operatingsystem => FreeBSD
> operatingsystemrelease => 6.0-RELEASE
> ps => ps -auxwww
> puppetversion => 0.19.3
> rubysitedir => /usr/local/lib/ruby/site_ruby/1.8
> rubyversion => 1.8.5
> 
> 
> 
> 
> destroying all puppet files in the client and puppetca --clean  the host 
> does not do anything i cannot make them to trust each  other. Any hints 
> about something i missed here ?
The FAQ lists a method for verifying certificates manually using the 
openssl binary; have you tried that?

Most of the occurrences of this problem are because the client''s clock 
is wrong by too much, so its cert is not yet valid.

-- 
Talent hits a target no one else can hit; Genius hits a target no one
else can see.  -- Arthur Schopenhauer
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

i done it:

SERVER:
puppet:/# puppetca --clean myclient.com
Removing /etc/puppet/ssl/ca/signed/myclient.com.pem
puppet:/# puppetca --list
myclient.com
puppet:/# puppetca --sign myclient.com
Signed myclient.com
puppet:/# openssl verify -CAfile /etc/puppet/ssl/certs/ca.pem  
/etc/puppet/ssl/ca/signed/myclient.com.pem
/etc/puppet/ssl/ca/signed/myclient.com.pem: OK
puppet:/# date
jeu nov  2 17:09:17 CET 2006
puppet:/#


CLIENT:
client# mkdir -m 700 -p /usr/local/.aqadmin/puppet/conf/ssl ; mkdir -m 
700 -p /usr/local/.aqadmin/puppet/var/facts ; mkdir -m 700 -p 
/usr/local/.aqadmin/puppet/log ; mkdir -m 700 -p 
/usr/local/.aqadmin/puppet/run ; mkdir -m 700 -p 
/usr/local/.aqadmin/puppet/state ; puppetd 
--confdir=/usr/local/.aqadmin/puppet/conf 
--logdir=/usr/local/.aqadmin/puppet/log 
--rundir=/usr/local/.aqadmin/puppet/run 
--statedir=/usr/local/.aqadmin/puppet/state 
--lockdir=/usr/local/.aqadmin/puppet/run 
--vardir=/usr/local/.aqadmin/puppet/var --factsync 
--server=puppet.SERVER.IP.IP --waitforcert 60 --test
err: No certificate; running with reduced functionality.
info: Creating a new SSL key at 
/usr/local/.aqadmin/puppet/conf/ssl/private_keys/myclient.com.pem
info: Creating a new certificate request for myclient.com
info: Requesting certificate
warning: peer certificate won''t be verified in this SSL session
notice: Did not receive certificate
info: Requesting certificate
warning: peer certificate won''t be verified in this SSL session
info: Retrieving facts
err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
Could not describe /facts: Certificates were not trusted: certificate 
verify failed
notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: source 
puppet://puppet.SERVER.IP.IP/facts does not exist
err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
Could not describe /facts: Certificates were not trusted: certificate 
verify failed
notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could 
not retrieve information on /usr/local/.aqadmin/puppet/var/facts
err: Could not retrieve configuration: Certificates were not trusted: 
certificate verify failed
warning: Not using cache on failed configuration
client# date
Thu Nov  2 17:12:05 CET 2006

but still untrusted. :(


Cordialement,
Ghislain ADNET.
AQUEOS.

Attention !  Pour toute demande de support ou commande de domaine 
utilisez désormais:
http://support.aqueos.net.  

 
AQUEOS - Service Informatique
1, Rue Albert Einstein
Champs sur Marne
77447 Marne la vallée CEDEX2
  	
Service technique :  http://support.aqueos.net
Service commercial :  commercial@aqueos.com
Tel : 01.64.02.99.37,
Fax: 01.72.70.32.66
 



Luke Kanies a écrit :
> Adnet Ghislain wrote:
>   
>> Hello,
>>
>>  I try to install puppet on freebsd 6.X. All is well but i cannot get 
>> the certificte to install and be recognized. I run .19.3.
>>
>> I run the puppetd --test --waitforcert 60
>>
>> then sign
>>
>> and then i got:
>>
>> err: No certificate; running with reduced functionality.
>> info: Creating a new SSL key at 
>> /usr/local/.aqadmin/puppet/conf/ssl/private_keys/xxxxxxxxxxxxxx.pem
>> info: Creating a new certificate request for xxxxxxxxxxxxxxxxx
>> info: Requesting certificate
>> warning: peer certificate won''t be verified in this SSL
session
>> notice: Did not receive certificate
>> info: Requesting certificate
>> warning: peer certificate won''t be verified in this SSL
session
>> info: Retrieving facts
>> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
>> Could not describe /facts: Certificates were not trusted: certificate 
>> verify failed
>> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts:
source
>> puppet://xxxxxxxxxxxx/facts does not exist
>> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
>> Could not describe /facts: Certificates were not trusted: certificate 
>> verify failed
>> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could
>> not retrieve information on /usr/local/.aqadmin/puppet/var/facts
>> err: Could not retrieve configuration: Certificates were not trusted: 
>> certificate verify failed
>> warning: Not using cache on failed configuration
>>
>> on the server:
>>
>> puppet:/# puppetca --list
>> No certificates to sign
>> puppet:/# puppetca --list
>> xxxxxxxxxxxxxxxxxxx
>> puppet:/# puppetca --sign xxxxxxxxxxxxxxxxxxx
>> Signed xxxxxxxxxxxxxxxxx
>> puppet:/#
>>
>>
>>
>> With the debug on the client i got :
>>
>> debug: getting config
>> info: Retrieving facts
>> debug: Calling fileserver.describe
>> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
>> Could not describe /facts: Certificates were not trusted: certificate 
>> verify failed
>> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts:
source
>> puppet://yyyyyyyyyyyy/facts does not exist
>> debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 
>> Creating checksum {time}Thu Nov 02 13:51:05 +0000 2006
>> debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 
>> Changing source
>> debug: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: 1
change(s)
>> debug: Calling fileserver.describe
>> err: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts/source: 
>> Could not describe /facts: Certificates were not trusted: certificate 
>> verify failed
>> notice: fact_collector/file=/usr/local/.aqadmin/puppet/var/facts: Could
>> not retrieve information on /usr/local/.aqadmin/puppet/var/facts
>> debug: Finishing transaction 76675410 with 1 changes
>> debug: Calling puppetmaster.getconfig
>> err: Could not retrieve configuration: Certificates were not trusted: 
>> certificate verify failed
>> warning: Not using cache on failed configuration
>>
>>
>> client# openssl version
>> OpenSSL 0.9.7e-p1 25 Oct 2004
>> client# facter
>> domain => xxxxxx
>> facterversion => 1.3.5
>> fqdn => xxxxxxxxxxxxxxxxxx
>> hardwaremodel => i386
>> hostname => client
>> ipaddress => xx.Xx.xx.xx
>> kernel => FreeBSD
>> kernelrelease => 6.0-RELEASE
>> operatingsystem => FreeBSD
>> operatingsystemrelease => 6.0-RELEASE
>> ps => ps -auxwww
>> puppetversion => 0.19.3
>> rubysitedir => /usr/local/lib/ruby/site_ruby/1.8
>> rubyversion => 1.8.5
>>
>>
>>
>>
>> destroying all puppet files in the client and puppetca --clean  the
host
>> does not do anything i cannot make them to trust each  other. Any hints
>> about something i missed here ?
>>     
>
> The FAQ lists a method for verifying certificates manually using the 
> openssl binary; have you tried that?
>
> Most of the occurrences of this problem are because the client''s
clock
> is wrong by too much, so its cert is not yet valid.
>
>   


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

Adnet Ghislain wrote:
> i done it:
> 
> SERVER:
> puppet:/# puppetca --clean myclient.com
> Removing /etc/puppet/ssl/ca/signed/myclient.com.pem
> puppet:/# puppetca --list
> myclient.com
> puppet:/# puppetca --sign myclient.com
> Signed myclient.com
> puppet:/# openssl verify -CAfile /etc/puppet/ssl/certs/ca.pem  
> /etc/puppet/ssl/ca/signed/myclient.com.pem
> /etc/puppet/ssl/ca/signed/myclient.com.pem: OK
> puppet:/# date
> jeu nov  2 17:09:17 CET 2006
> puppet:/#
Can you run this verification on the client?


-- 
Love truth, and pardon error.       -- Voltaire
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

i got:

allo01# /usr/bin/openssl verify -CAfile ./ca.pem ./myclient..pem
./myclient.pem: /CN=puppet.myserver.com
error 7 at 1 depth lookup:certificate signature failure

dam... :(

Cordialement,
Ghislain
> Can you run this verification on the client?
>
>
>   

_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

Adnet Ghislain wrote:
> i got:
> 
> allo01# /usr/bin/openssl verify -CAfile ./ca.pem ./myclient..pem
> ./myclient.pem: /CN=puppet.myserver.com
> error 7 at 1 depth lookup:certificate signature failure
I haven''t seen this error before.  According to a quick search, it
seems
to be a relatively common SSL error, but I couldn''t find a common 
solution to the problem.

I''m still out of town, but I''ll look around a bit more to see
if I can
find the source of the problem.

-- 
Learning is not attained by chance, it must be sought for with ardor and
attended to with diligence.      -- Abigail Adams
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

thanks luke, i will continue to try some tricks but for now it failed at 
each try.

Cordialement,
Ghislain
> I haven''t seen this error before.  According to a quick search, it
seems
> to be a relatively common SSL error, but I couldn''t find a common 
> solution to the problem.
>
> I''m still out of town, but I''ll look around a bit more to
see if I can
> find the source of the problem.
>
>   

_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users