Hi all, I attempted to add an EL5.1 client to our puppet server (EL5), and after signing the client cert, got the error "Certificates were not trusted: hostname not match with the server certificate" I found the mailing list discussion and the relevant page: http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 As far as I can tell, my puppermaster''s cert CN matches the FQDN and always did. However, the clients used a different name to connect to the server. It sounds like just changing the clients to ask for the FQDN would do the trick, but it doesn''t. The server has two interfaces, one public, one private; here''s the output from the EL5.1 client: [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob err: Could not retrieve configuration: Certificates were not trusted: hostname not match with the server certificate warning: Not using cache on failed configuration [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local err: Could not retrieve configuration: Certificates were not trusted: hostname not match with the server certificate warning: Not using cache on failed configuration [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.genomics.upenn.edu info: Caching configuration at /var/lib/puppet/localconfig.yaml info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update" info: /File[/root/grid.prf]: Adding aliases "grid_prf_update" info: /File[/root/grid.svc]: Adding aliases "grid_svc_update" notice: Starting configuration run notice: //default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure: created notice: //default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure: created err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not describe /dist/openldap-ldap.conf: Certificates were not trusted: hostname not match with the server certificate err: //default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source: Could not describe /dist/grid.prf: Certificates were not trusted: hostname not match with the server certificate ... ... So it looks like all the File directives error out still. Does the fileserver use a different cert? I also tried the ''openssl s_client -connect <name>:8140'' and I get the same error for all three values of <name>: cob, cob.local, cob.genomics.upenn.edu Verify return code: 21 (unable to verify the first certificate) This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5. What should I try next? Regards, -- Alex Chekholko
is the server = setting in your puppet.conf consistent with what you are passing on the commandline? I''ve had a couple of odd things happen when I tried to use one but the other didn''t match. C On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote:> > Hi all, > > I attempted to add an EL5.1 client to our puppet server (EL5), and after > signing the client cert, got the error "Certificates were not trusted: > hostname not match with the server certificate" > > I found the mailing list discussion and the relevant page: > http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 > > As far as I can tell, my puppermaster''s cert CN matches the FQDN and > always did. However, the clients used a > different name to connect to the server. It sounds like just changing > the clients to ask for the FQDN would do the trick, but it doesn''t. > > The server has two interfaces, one public, one private; here''s the > output from the EL5.1 client: > > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob > err: Could not retrieve configuration: Certificates were not trusted: > hostname not match with the server certificate > warning: Not using cache on failed configuration > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local > err: Could not retrieve configuration: Certificates were not trusted: > hostname not match with the server certificate > warning: Not using cache on failed configuration > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server> cob.genomics.upenn.edu > info: Caching configuration at /var/lib/puppet/localconfig.yaml > info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update" > info: /File[/root/grid.prf]: Adding aliases "grid_prf_update" > info: /File[/root/grid.svc]: Adding aliases "grid_svc_update" > notice: Starting configuration run > notice: > //default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure: > created > notice: > //default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure: > created > err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not > describe /dist/openldap-ldap.conf: Certificates were not trusted: hostname > not match with the server certificate > err: > //default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source: > Could not describe /dist/grid.prf: Certificates were not trusted: hostname > not match with the server certificate > ... > ... > > So it looks like all the File directives error out still. Does the > fileserver use a different cert? > > I also tried the ''openssl s_client -connect <name>:8140'' and I get the > same error for all three values of <name>: cob, cob.local, > cob.genomics.upenn.edu > Verify return code: 21 (unable to verify the first certificate) > > This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5. > > What should I try next? > > Regards, > -- > Alex Chekholko > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >-- stickm@gmail.com -==< Stick >==- _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Thank you for your response. I do not have a "server =" line in my /etc/puppet/puppet.conf but I do have a "PUPPET_SERVER=" line in /etc/sysconfig/puppet. The init script uses the latter value to launch "puppetd --server=${PUPPET_SERVER}" This is the standard setup from the RPM. However, in this case I''ve stopped puppet and am running it manually as below, so the config file value shouldn''t matter. Regards, ALex On Tue, 11 Dec 2007 12:41:15 -0500 "Chris MacLeod" <stickm@gmail.com> wrote:> is the server = setting in your puppet.conf consistent with what you are > passing on the commandline? I''ve had a couple of odd things happen when I > tried to use one but the other didn''t match. > C > > On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote: > > > > Hi all, > > > > I attempted to add an EL5.1 client to our puppet server (EL5), and after > > signing the client cert, got the error "Certificates were not trusted: > > hostname not match with the server certificate" > > > > I found the mailing list discussion and the relevant page: > > http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 > > > > As far as I can tell, my puppermaster''s cert CN matches the FQDN and > > always did. However, the clients used a > > different name to connect to the server. It sounds like just changing > > the clients to ask for the FQDN would do the trick, but it doesn''t. > > > > The server has two interfaces, one public, one private; here''s the > > output from the EL5.1 client: > > > > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob > > err: Could not retrieve configuration: Certificates were not trusted: > > hostname not match with the server certificate > > warning: Not using cache on failed configuration > > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local > > err: Could not retrieve configuration: Certificates were not trusted: > > hostname not match with the server certificate > > warning: Not using cache on failed configuration > > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server> > cob.genomics.upenn.edu > > info: Caching configuration at /var/lib/puppet/localconfig.yaml > > info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update" > > info: /File[/root/grid.prf]: Adding aliases "grid_prf_update" > > info: /File[/root/grid.svc]: Adding aliases "grid_svc_update" > > notice: Starting configuration run > > notice: > > //default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure: > > created > > notice: > > //default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure: > > created > > err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not > > describe /dist/openldap-ldap.conf: Certificates were not trusted: hostname > > not match with the server certificate > > err: > > //default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source: > > Could not describe /dist/grid.prf: Certificates were not trusted: hostname > > not match with the server certificate > > ... > > ... > > > > So it looks like all the File directives error out still. Does the > > fileserver use a different cert? > > > > I also tried the ''openssl s_client -connect <name>:8140'' and I get the > > same error for all three values of <name>: cob, cob.local, > > cob.genomics.upenn.edu > > Verify return code: 21 (unable to verify the first certificate) > > > > This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5. > > > > What should I try next? > > > > Regards, > > -- > > Alex Chekholko > > _______________________________________________ > > Puppet-users mailing list > > Puppet-users@madstop.com > > https://mail.madstop.com/mailman/listinfo/puppet-users > > > > > > -- > stickm@gmail.com > -==< Stick >==- >-- Alex Chekholko Office: 215-573-8119 Cell: 347-401-4860
Hi Alex: It''s been a while since I dealt with the certname issue on my install, but I vaguely remember clients storing the cert via the CNAME I''d used for the server in /etc/puppet/ssl. The fileserver doesn''t use a separate cert, so that shouldn''t be your issue. I don''t have my notes with me, but at one point I know I simply removed all the client cert information and went through the signing process again, but I can''t tell you for which of the various solutions I attempted this was for. Might be something to check if you''re stuck. Boone Alex Chekholko wrote:> Thank you for your response. > > I do not have a "server =" line in my /etc/puppet/puppet.conf but I do > have a "PUPPET_SERVER=" line in /etc/sysconfig/puppet. The init script > uses the latter value to launch "puppetd --server=${PUPPET_SERVER}" > This is the standard setup from the RPM. > > However, in this case I''ve stopped puppet and am running it manually as > below, so the config file value shouldn''t matter. > > Regards, > ALex > > On Tue, 11 Dec 2007 12:41:15 -0500 > "Chris MacLeod" <stickm@gmail.com> wrote: > >> is the server = setting in your puppet.conf consistent with what you are >> passing on the commandline? I''ve had a couple of odd things happen when I >> tried to use one but the other didn''t match. >> C >> >> On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote: >>> Hi all, >>> >>> I attempted to add an EL5.1 client to our puppet server (EL5), and after >>> signing the client cert, got the error "Certificates were not trusted: >>> hostname not match with the server certificate" >>> >>> I found the mailing list discussion and the relevant page: >>> http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 >>> >>> As far as I can tell, my puppermaster''s cert CN matches the FQDN and >>> always did. However, the clients used a >>> different name to connect to the server. It sounds like just changing >>> the clients to ask for the FQDN would do the trick, but it doesn''t. >>> >>> The server has two interfaces, one public, one private; here''s the >>> output from the EL5.1 client: >>> >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob >>> err: Could not retrieve configuration: Certificates were not trusted: >>> hostname not match with the server certificate >>> warning: Not using cache on failed configuration >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local >>> err: Could not retrieve configuration: Certificates were not trusted: >>> hostname not match with the server certificate >>> warning: Not using cache on failed configuration >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server>>> cob.genomics.upenn.edu >>> info: Caching configuration at /var/lib/puppet/localconfig.yaml >>> info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update" >>> info: /File[/root/grid.prf]: Adding aliases "grid_prf_update" >>> info: /File[/root/grid.svc]: Adding aliases "grid_svc_update" >>> notice: Starting configuration run >>> notice: >>> //default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure: >>> created >>> notice: >>> //default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure: >>> created >>> err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not >>> describe /dist/openldap-ldap.conf: Certificates were not trusted: hostname >>> not match with the server certificate >>> err: >>> //default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source: >>> Could not describe /dist/grid.prf: Certificates were not trusted: hostname >>> not match with the server certificate >>> ... >>> ... >>> >>> So it looks like all the File directives error out still. Does the >>> fileserver use a different cert? >>> >>> I also tried the ''openssl s_client -connect <name>:8140'' and I get the >>> same error for all three values of <name>: cob, cob.local, >>> cob.genomics.upenn.edu >>> Verify return code: 21 (unable to verify the first certificate) >>> >>> This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5. >>> >>> What should I try next? >>> >>> Regards, >>> -- >>> Alex Chekholko >>> _______________________________________________ >>> Puppet-users mailing list >>> Puppet-users@madstop.com >>> https://mail.madstop.com/mailman/listinfo/puppet-users >>> >> >> >> -- >> stickm@gmail.com >> -==< Stick >==- >> > >
Hi, Thanks for your suggestion. I tried it and it didn''t help. However, I found the problem! My file declarations all had things like source => "puppet://cob.local/dist/grid.prf", When it should now be source => "puppet:///dist/grid.prf", or source => "puppet://fqdn/dist/grid.prf", per the wiki page. My fault. Thanks everyone for all your help. Regards, Alex On Tue, 11 Dec 2007 12:08:05 -0600 Boone Bradley <boone@altec.org> wrote:> Hi Alex: > > It''s been a while since I dealt with the certname issue on my install, > but I vaguely remember clients storing the cert via the CNAME I''d used > for the server in /etc/puppet/ssl. The fileserver doesn''t use a > separate cert, so that shouldn''t be your issue. > > I don''t have my notes with me, but at one point I know I simply removed > all the client cert information and went through the signing process > again, but I can''t tell you for which of the various solutions I > attempted this was for. Might be something to check if you''re stuck. > > Boone > > Alex Chekholko wrote: > > Thank you for your response. > > > > I do not have a "server =" line in my /etc/puppet/puppet.conf but I do > > have a "PUPPET_SERVER=" line in /etc/sysconfig/puppet. The init script > > uses the latter value to launch "puppetd --server=${PUPPET_SERVER}" > > This is the standard setup from the RPM. > > > > However, in this case I''ve stopped puppet and am running it manually as > > below, so the config file value shouldn''t matter. > > > > Regards, > > ALex > > > > On Tue, 11 Dec 2007 12:41:15 -0500 > > "Chris MacLeod" <stickm@gmail.com> wrote: > > > >> is the server = setting in your puppet.conf consistent with what you are > >> passing on the commandline? I''ve had a couple of odd things happen when I > >> tried to use one but the other didn''t match. > >> C > >> > >> On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote: > >>> Hi all, > >>> > >>> I attempted to add an EL5.1 client to our puppet server (EL5), and after > >>> signing the client cert, got the error "Certificates were not trusted: > >>> hostname not match with the server certificate" > >>> > >>> I found the mailing list discussion and the relevant page: > >>> http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 > >>> > >>> As far as I can tell, my puppermaster''s cert CN matches the FQDN and > >>> always did. However, the clients used a > >>> different name to connect to the server. It sounds like just changing > >>> the clients to ask for the FQDN would do the trick, but it doesn''t. > >>> > >>> The server has two interfaces, one public, one private; here''s the > >>> output from the EL5.1 client: > >>> > >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob > >>> err: Could not retrieve configuration: Certificates were not trusted: > >>> hostname not match with the server certificate > >>> warning: Not using cache on failed configuration > >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local > >>> err: Could not retrieve configuration: Certificates were not trusted: > >>> hostname not match with the server certificate > >>> warning: Not using cache on failed configuration > >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server> >>> cob.genomics.upenn.edu > >>> info: Caching configuration at /var/lib/puppet/localconfig.yaml > >>> info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update" > >>> info: /File[/root/grid.prf]: Adding aliases "grid_prf_update" > >>> info: /File[/root/grid.svc]: Adding aliases "grid_svc_update" > >>> notice: Starting configuration run > >>> notice: > >>> //default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure: > >>> created > >>> notice: > >>> //default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure: > >>> created > >>> err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not > >>> describe /dist/openldap-ldap.conf: Certificates were not trusted: hostname > >>> not match with the server certificate > >>> err: > >>> //default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source: > >>> Could not describe /dist/grid.prf: Certificates were not trusted: hostname > >>> not match with the server certificate > >>> ... > >>> ... > >>> > >>> So it looks like all the File directives error out still. Does the > >>> fileserver use a different cert? > >>> > >>> I also tried the ''openssl s_client -connect <name>:8140'' and I get the > >>> same error for all three values of <name>: cob, cob.local, > >>> cob.genomics.upenn.edu > >>> Verify return code: 21 (unable to verify the first certificate) > >>> > >>> This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5. > >>> > >>> What should I try next? > >>> > >>> Regards,