Puppet users - Dec 2007 - EL5.1 client problems

Hi all,

I attempted to add an EL5.1 client to our puppet server (EL5), and after
signing the client cert, got the error "Certificates were not trusted:
hostname not match with the server certificate"

I found the mailing list discussion and the relevant page:
http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006

As far as I can tell, my puppermaster''s cert CN matches the FQDN and
always did.  However, the clients used a
different name to connect to the server.  It sounds like just changing
the clients to ask for the FQDN would do the trick, but it doesn''t.

The server has two interfaces, one public, one private; here''s the
output from the EL5.1 client:

[root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob
err: Could not retrieve configuration: Certificates were not trusted: hostname
not match with the server certificate
warning: Not using cache on failed configuration
[root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local
err: Could not retrieve configuration: Certificates were not trusted: hostname
not match with the server certificate
warning: Not using cache on failed configuration
[root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.genomics.upenn.edu
info: Caching configuration at /var/lib/puppet/localconfig.yaml
info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update"
info: /File[/root/grid.prf]: Adding aliases "grid_prf_update"
info: /File[/root/grid.svc]: Adding aliases "grid_svc_update"
notice: Starting configuration run
notice:
//default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure:
created
notice:
//default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure:
created
err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not describe
/dist/openldap-ldap.conf: Certificates were not trusted: hostname not match with
the server certificate
err:
//default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source:
Could not describe /dist/grid.prf: Certificates were not trusted: hostname not
match with the server certificate
...
...

So it looks like all the File directives error out still.  Does the fileserver
use a different cert?

I also tried the ''openssl s_client -connect <name>:8140''
and I get the same error for all three values of <name>: cob, cob.local,
cob.genomics.upenn.edu
Verify return code: 21 (unable to verify the first certificate)

This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5.

What should I try next?

Regards,
-- 
Alex Chekholko

is the server = setting in your puppet.conf consistent with what you are
passing on the commandline?  I''ve had a couple of odd things happen
when I
tried to use one but the other didn''t match.
C

On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu>
wrote:
>
> Hi all,
>
> I attempted to add an EL5.1 client to our puppet server (EL5), and after
> signing the client cert, got the error "Certificates were not trusted:
> hostname not match with the server certificate"
>
> I found the mailing list discussion and the relevant page:
> http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006
>
> As far as I can tell, my puppermaster''s cert CN matches the FQDN
and
> always did.  However, the clients used a
> different name to connect to the server.  It sounds like just changing
> the clients to ask for the FQDN would do the trick, but it
doesn''t.
>
> The server has two interfaces, one public, one private; here''s the
> output from the EL5.1 client:
>
> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob
> err: Could not retrieve configuration: Certificates were not trusted:
> hostname not match with the server certificate
> warning: Not using cache on failed configuration
> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local
> err: Could not retrieve configuration: Certificates were not trusted:
> hostname not match with the server certificate
> warning: Not using cache on failed configuration
> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server>
cob.genomics.upenn.edu
> info: Caching configuration at /var/lib/puppet/localconfig.yaml
> info: /File[/root/GPFS/build.sh]: Adding aliases "gpfs_update"
> info: /File[/root/grid.prf]: Adding aliases "grid_prf_update"
> info: /File[/root/grid.svc]: Adding aliases "grid_svc_update"
> notice: Starting configuration run
> notice:
>
//default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure:
> created
> notice:
>
//default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure:
> created
> err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not
> describe /dist/openldap-ldap.conf: Certificates were not trusted: hostname
> not match with the server certificate
> err:
>
//default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source:
> Could not describe /dist/grid.prf: Certificates were not trusted: hostname
> not match with the server certificate
> ...
> ...
>
> So it looks like all the File directives error out still.  Does the
> fileserver use a different cert?
>
> I also tried the ''openssl s_client -connect
<name>:8140'' and I get the
> same error for all three values of <name>: cob, cob.local,
> cob.genomics.upenn.edu
> Verify return code: 21 (unable to verify the first certificate)
>
> This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5.
>
> What should I try next?
>
> Regards,
> --
> Alex Chekholko
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>


-- 
stickm@gmail.com
-==< Stick >==-


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

Thank you for your response.

I do not have a "server =" line in my /etc/puppet/puppet.conf but I do
have a "PUPPET_SERVER=" line in /etc/sysconfig/puppet.  The init
script
uses the latter value to launch "puppetd --server=${PUPPET_SERVER}"
This is the standard setup from the RPM.

However, in this case I''ve stopped puppet and am running it manually as
below, so the config file value shouldn''t matter.

Regards,
ALex

On Tue, 11 Dec 2007 12:41:15 -0500
"Chris MacLeod" <stickm@gmail.com> wrote:
> is the server = setting in your puppet.conf consistent with what you are
> passing on the commandline?  I''ve had a couple of odd things
happen when I
> tried to use one but the other didn''t match.
> C
> 
> On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote:
> >
> > Hi all,
> >
> > I attempted to add an EL5.1 client to our puppet server (EL5), and
after
> > signing the client cert, got the error "Certificates were not
trusted:
> > hostname not match with the server certificate"
> >
> > I found the mailing list discussion and the relevant page:
> > http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006
> >
> > As far as I can tell, my puppermaster''s cert CN matches the
FQDN and
> > always did.  However, the clients used a
> > different name to connect to the server.  It sounds like just changing
> > the clients to ask for the FQDN would do the trick, but it
doesn''t.
> >
> > The server has two interfaces, one public, one private;
here''s the
> > output from the EL5.1 client:
> >
> > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob
> > err: Could not retrieve configuration: Certificates were not trusted:
> > hostname not match with the server certificate
> > warning: Not using cache on failed configuration
> > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local
> > err: Could not retrieve configuration: Certificates were not trusted:
> > hostname not match with the server certificate
> > warning: Not using cache on failed configuration
> > [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server> >
cob.genomics.upenn.edu
> > info: Caching configuration at /var/lib/puppet/localconfig.yaml
> > info: /File[/root/GPFS/build.sh]: Adding aliases
"gpfs_update"
> > info: /File[/root/grid.prf]: Adding aliases
"grid_prf_update"
> > info: /File[/root/grid.svc]: Adding aliases
"grid_svc_update"
> > notice: Starting configuration run
> > notice:
> >
//default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure:
> > created
> > notice:
> >
//default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure:
> > created
> > err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not
> > describe /dist/openldap-ldap.conf: Certificates were not trusted:
hostname
> > not match with the server certificate
> > err:
> >
//default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source:
> > Could not describe /dist/grid.prf: Certificates were not trusted:
hostname
> > not match with the server certificate
> > ...
> > ...
> >
> > So it looks like all the File directives error out still.  Does the
> > fileserver use a different cert?
> >
> > I also tried the ''openssl s_client -connect
<name>:8140'' and I get the
> > same error for all three values of <name>: cob, cob.local,
> > cob.genomics.upenn.edu
> > Verify return code: 21 (unable to verify the first certificate)
> >
> > This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5.
> >
> > What should I try next?
> >
> > Regards,
> > --
> > Alex Chekholko
> > _______________________________________________
> > Puppet-users mailing list
> > Puppet-users@madstop.com
> > https://mail.madstop.com/mailman/listinfo/puppet-users
> >
> 
> 
> 
> -- 
> stickm@gmail.com
> -==< Stick >==-
> 

-- 
Alex Chekholko    Office: 215-573-8119     Cell: 347-401-4860

Hi Alex:

It''s been a while since I dealt with the certname issue on my install, 
but I vaguely remember clients storing the cert via the CNAME I''d used 
for the server in /etc/puppet/ssl.  The fileserver doesn''t use a 
separate cert, so that shouldn''t be your issue.

I don''t have my notes with me, but at one point I know I simply removed
all the client cert information and went through the signing process 
again, but I can''t tell you for which of the various solutions I 
attempted this was for.  Might be something to check if you''re stuck.

Boone

Alex Chekholko wrote:
> Thank you for your response.
> 
> I do not have a "server =" line in my /etc/puppet/puppet.conf but
I do
> have a "PUPPET_SERVER=" line in /etc/sysconfig/puppet.  The init
script
> uses the latter value to launch "puppetd
--server=${PUPPET_SERVER}"
> This is the standard setup from the RPM.
> 
> However, in this case I''ve stopped puppet and am running it
manually as
> below, so the config file value shouldn''t matter.
> 
> Regards,
> ALex
> 
> On Tue, 11 Dec 2007 12:41:15 -0500
> "Chris MacLeod" <stickm@gmail.com> wrote:
> 
>> is the server = setting in your puppet.conf consistent with what you
are
>> passing on the commandline?  I''ve had a couple of odd things
happen when I
>> tried to use one but the other didn''t match.
>> C
>>
>> On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote:
>>> Hi all,
>>>
>>> I attempted to add an EL5.1 client to our puppet server (EL5), and
after
>>> signing the client cert, got the error "Certificates were not
trusted:
>>> hostname not match with the server certificate"
>>>
>>> I found the mailing list discussion and the relevant page:
>>> http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006
>>>
>>> As far as I can tell, my puppermaster''s cert CN matches
the FQDN and
>>> always did.  However, the clients used a
>>> different name to connect to the server.  It sounds like just
changing
>>> the clients to ask for the FQDN would do the trick, but it
doesn''t.
>>>
>>> The server has two interfaces, one public, one private;
here''s the
>>> output from the EL5.1 client:
>>>
>>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob
>>> err: Could not retrieve configuration: Certificates were not
trusted:
>>> hostname not match with the server certificate
>>> warning: Not using cache on failed configuration
>>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob.local
>>> err: Could not retrieve configuration: Certificates were not
trusted:
>>> hostname not match with the server certificate
>>> warning: Not using cache on failed configuration
>>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server>>>
cob.genomics.upenn.edu
>>> info: Caching configuration at /var/lib/puppet/localconfig.yaml
>>> info: /File[/root/GPFS/build.sh]: Adding aliases
"gpfs_update"
>>> info: /File[/root/grid.prf]: Adding aliases
"grid_prf_update"
>>> info: /File[/root/grid.svc]: Adding aliases
"grid_svc_update"
>>> notice: Starting configuration run
>>> notice:
>>>
//default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure:
>>> created
>>> notice:
>>>
//default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure:
>>> created
>>> err: //default/ldap/File[/etc/openldap/ldap.conf]/source: Could not
>>> describe /dist/openldap-ldap.conf: Certificates were not trusted:
hostname
>>> not match with the server certificate
>>> err:
>>>
//default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source:
>>> Could not describe /dist/grid.prf: Certificates were not trusted:
hostname
>>> not match with the server certificate
>>> ...
>>> ...
>>>
>>> So it looks like all the File directives error out still.  Does the
>>> fileserver use a different cert?
>>>
>>> I also tried the ''openssl s_client -connect
<name>:8140'' and I get the
>>> same error for all three values of <name>: cob, cob.local,
>>> cob.genomics.upenn.edu
>>> Verify return code: 21 (unable to verify the first certificate)
>>>
>>> This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on EL5.
>>>
>>> What should I try next?
>>>
>>> Regards,
>>> --
>>> Alex Chekholko
>>> _______________________________________________
>>> Puppet-users mailing list
>>> Puppet-users@madstop.com
>>> https://mail.madstop.com/mailman/listinfo/puppet-users
>>>
>>
>>
>> -- 
>> stickm@gmail.com
>> -==< Stick >==-
>>
> 
>

Hi,

Thanks for your suggestion.  I tried it and it didn''t help.  However, I
found the problem!

My file declarations all had things like 

 source => "puppet://cob.local/dist/grid.prf",

When it should now be 
source => "puppet:///dist/grid.prf",
or
source => "puppet://fqdn/dist/grid.prf",
per the wiki page.

My fault.

Thanks everyone for all your help.

Regards,
Alex

On Tue, 11 Dec 2007 12:08:05 -0600
Boone Bradley <boone@altec.org> wrote:
> Hi Alex:
> 
> It''s been a while since I dealt with the certname issue on my
install,
> but I vaguely remember clients storing the cert via the CNAME I''d
used
> for the server in /etc/puppet/ssl.  The fileserver doesn''t use a 
> separate cert, so that shouldn''t be your issue.
> 
> I don''t have my notes with me, but at one point I know I simply
removed
> all the client cert information and went through the signing process 
> again, but I can''t tell you for which of the various solutions I 
> attempted this was for.  Might be something to check if you''re
stuck.
> 
> Boone
> 
> Alex Chekholko wrote:
> > Thank you for your response.
> > 
> > I do not have a "server =" line in my
/etc/puppet/puppet.conf but I do
> > have a "PUPPET_SERVER=" line in /etc/sysconfig/puppet.  The
init script
> > uses the latter value to launch "puppetd
--server=${PUPPET_SERVER}"
> > This is the standard setup from the RPM.
> > 
> > However, in this case I''ve stopped puppet and am running it
manually as
> > below, so the config file value shouldn''t matter.
> > 
> > Regards,
> > ALex
> > 
> > On Tue, 11 Dec 2007 12:41:15 -0500
> > "Chris MacLeod" <stickm@gmail.com> wrote:
> > 
> >> is the server = setting in your puppet.conf consistent with what
you are
> >> passing on the commandline?  I''ve had a couple of odd
things happen when I
> >> tried to use one but the other didn''t match.
> >> C
> >>
> >> On 12/11/07, Alex Chekholko <chekh@pcbi.upenn.edu> wrote:
> >>> Hi all,
> >>>
> >>> I attempted to add an EL5.1 client to our puppet server (EL5),
and after
> >>> signing the client cert, got the error "Certificates were
not trusted:
> >>> hostname not match with the server certificate"
> >>>
> >>> I found the mailing list discussion and the relevant page:
> >>> http://www.reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006
> >>>
> >>> As far as I can tell, my puppermaster''s cert CN
matches the FQDN and
> >>> always did.  However, the clients used a
> >>> different name to connect to the server.  It sounds like just
changing
> >>> the clients to ask for the FQDN would do the trick, but it
doesn''t.
> >>>
> >>> The server has two interfaces, one public, one private;
here''s the
> >>> output from the EL5.1 client:
> >>>
> >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server=cob
> >>> err: Could not retrieve configuration: Certificates were not
trusted:
> >>> hostname not match with the server certificate
> >>> warning: Not using cache on failed configuration
> >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test
--server=cob.local
> >>> err: Could not retrieve configuration: Certificates were not
trusted:
> >>> hostname not match with the server certificate
> >>> warning: Not using cache on failed configuration
> >>> [root@node-r1-u7-c28-p10-o5 ~]# puppetd --test --server>
>>> cob.genomics.upenn.edu
> >>> info: Caching configuration at
/var/lib/puppet/localconfig.yaml
> >>> info: /File[/root/GPFS/build.sh]: Adding aliases
"gpfs_update"
> >>> info: /File[/root/grid.prf]: Adding aliases
"grid_prf_update"
> >>> info: /File[/root/grid.svc]: Adding aliases
"grid_svc_update"
> >>> notice: Starting configuration run
> >>> notice:
> >>>
//default/node-r1-u7-c28-p10-o5/gpfs/gpfs_prereqs/Package[kernel-devel]/ensure:
> >>> created
> >>> notice:
> >>>
//default/node-r1-u7-c28-p10-o5/sge_node/grid_svc/Package[xorg-x11-xauth]/ensure:
> >>> created
> >>> err: //default/ldap/File[/etc/openldap/ldap.conf]/source:
Could not
> >>> describe /dist/openldap-ldap.conf: Certificates were not
trusted: hostname
> >>> not match with the server certificate
> >>> err:
> >>>
//default/node-r1-u7-c28-p10-o5/sge_node/grid_prf/File[/root/grid.prf]/source:
> >>> Could not describe /dist/grid.prf: Certificates were not
trusted: hostname
> >>> not match with the server certificate
> >>> ...
> >>> ...
> >>>
> >>> So it looks like all the File directives error out still. 
Does the
> >>> fileserver use a different cert?
> >>>
> >>> I also tried the ''openssl s_client -connect
<name>:8140'' and I get the
> >>> same error for all three values of <name>: cob,
cob.local,
> >>> cob.genomics.upenn.edu
> >>> Verify return code: 21 (unable to verify the first
certificate)
> >>>
> >>> This is puppet-0.23.2-1.el5 and puppet-server-0.23.2-1.el5 on
EL5.
> >>>
> >>> What should I try next?
> >>>
> >>> Regards,