Puppet users - May 2008 - SSL Problems on new Puppet Installation

I am having SSL verification problems on a new installation of puppet.

The puppet master is a Centos5 clean install, running 0.24.4-1
The client machine is a Centos5 clean install running 0.22.4-1

I startup puppet on the client and it requests it''s certificate
I use puppetca on the server to sign the cert.
Then when I startup puppet on the client, I get this in the error logs

May  4 20:43:39 buildserver puppetd[10824]: Starting Puppet client
version 0.24.4
May  4 20:43:40 buildserver puppetd[10824]: Could not retrieve
catalog: Certificates were not trusted: certificate verify failed

Both machines are syncing their time from the same source, and have
the same time (and timezone)


When i try to verify the cert I get


openssl verify -CAfile /var/lib/puppet/ssl/certs/
buildserver.blacksun.localnet.pem /var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/ca.pem: /CN=puppet100.blacksun.localnet
error 18 at 0 depth lookup:self signed certificate


I wanted to spend the weekend learnign about puppet but instead I have
been trying to get this to work with no success.

Slightly less hair now than I had on Friday

Any help very much appreciated.


Brett



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On May 4, 2008, at 2:47 PM, udp53 wrote:
>
> I am having SSL verification problems on a new installation of puppet.
>
> The puppet master is a Centos5 clean install, running 0.24.4-1
> The client machine is a Centos5 clean install running 0.22.4-1
>
> I startup puppet on the client and it requests it''s certificate
> I use puppetca on the server to sign the cert.
> Then when I startup puppet on the client, I get this in the error logs
>
> May  4 20:43:39 buildserver puppetd[10824]: Starting Puppet client
> version 0.24.4
> May  4 20:43:40 buildserver puppetd[10824]: Could not retrieve
> catalog: Certificates were not trusted: certificate verify failed
>
> Both machines are syncing their time from the same source, and have
> the same time (and timezone)
>
>
> When i try to verify the cert I get
>
>
> openssl verify -CAfile /var/lib/puppet/ssl/certs/
> buildserver.blacksun.localnet.pem /var/lib/puppet/ssl/certs/ca.pem
> /var/lib/puppet/ssl/certs/ca.pem: /CN=puppet100.blacksun.localnet
> error 18 at 0 depth lookup:self signed certificate
Try puppetca --clean <hotname> on the server, and remove the ssl dir  
on the client.  Looks like you''ve got a cert that doesn''t
match your
private key or something.

-- 
It is a mistake to think you can solve any major problems just with
potatoes. --Douglas Adams
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Sorry forgot to mention i had already done that, then re-requested/
signed the cert, following that the same error still exists.

Brett

On May 5, 5:15 am, Luke Kanies <l...@madstop.com>
wrote:
> On May 4, 2008, at 2:47 PM, udp53 wrote:
>
>
>
>
>
> > I am having SSL verification problems on a new installation of puppet.
>
> > The puppet master is a Centos5 clean install, running 0.24.4-1
> > The client machine is a Centos5 clean install running 0.22.4-1
>
> > I startup puppet on the client and it requests it''s
certificate
> > I use puppetca on the server to sign the cert.
> > Then when I startup puppet on the client, I get this in the error logs
>
> > May  4 20:43:39 buildserver puppetd[10824]: Starting Puppet client
> > version 0.24.4
> > May  4 20:43:40 buildserver puppetd[10824]: Could not retrieve
> > catalog: Certificates were not trusted: certificate verify failed
>
> > Both machines are syncing their time from the same source, and have
> > the same time (and timezone)
>
> > When i try to verify the cert I get
>
> > openssl verify -CAfile /var/lib/puppet/ssl/certs/
> > buildserver.blacksun.localnet.pem /var/lib/puppet/ssl/certs/ca.pem
> > /var/lib/puppet/ssl/certs/ca.pem: /CN=puppet100.blacksun.localnet
> > error 18 at 0 depth lookup:self signed certificate
>
> Try puppetca --clean <hotname> on the server, and remove the ssl dir
> on the client.  Looks like you''ve got a cert that doesn''t
match your
> private key or something.
>
> --
> It is a mistake to think you can solve any major problems just with
> potatoes. --Douglas Adams
> ---------------------------------------------------------------------
> Luke Kanies |http://reductivelabs.com|http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

do you have other clients that work?

how did you sign the original puppetmaster? is it a self sign certificate?
could it be that you puppetmaster certificate is misbehaving?


On Mon, May 5, 2008 at 3:49 PM, udp53 <brettlists@gmail.com> wrote:
>
> Sorry forgot to mention i had already done that, then re-requested/
> signed the cert, following that the same error still exists.
>
> Brett
>
> On May 5, 5:15 am, Luke Kanies <l...@madstop.com> wrote:
> > On May 4, 2008, at 2:47 PM, udp53 wrote:
> >
> >
> >
> >
> >
> > > I am having SSL verification problems on a new installation of
puppet.
> >
> > > The puppet master is a Centos5 clean install, running 0.24.4-1
> > > The client machine is a Centos5 clean install running 0.22.4-1
> >
> > > I startup puppet on the client and it requests it''s
certificate
> > > I use puppetca on the server to sign the cert.
> > > Then when I startup puppet on the client, I get this in the error
logs
> >
> > > May  4 20:43:39 buildserver puppetd[10824]: Starting Puppet
client
> > > version 0.24.4
> > > May  4 20:43:40 buildserver puppetd[10824]: Could not retrieve
> > > catalog: Certificates were not trusted: certificate verify failed
> >
> > > Both machines are syncing their time from the same source, and
have
> > > the same time (and timezone)
> >
> > > When i try to verify the cert I get
> >
> > > openssl verify -CAfile /var/lib/puppet/ssl/certs/
> > > buildserver.blacksun.localnet.pem
/var/lib/puppet/ssl/certs/ca.pem
> > > /var/lib/puppet/ssl/certs/ca.pem: /CN=puppet100.blacksun.localnet
> > > error 18 at 0 depth lookup:self signed certificate
> >
> > Try puppetca --clean <hotname> on the server, and remove the ssl
dir
> > on the client.  Looks like you''ve got a cert that
doesn''t match your
> > private key or something.
> >
> > --
> > It is a mistake to think you can solve any major problems just with
> > potatoes. --Douglas Adams
> > ---------------------------------------------------------------------
> > Luke Kanies |http://reductivelabs.com|http://madstop.com
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 5 May, 11:31, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> do you have other clients that work?
No this is the first client, I have tried another that also had the
same problem.
>
> how did you sign the original puppetmaster? is it a self sign certificate?
> could it be that you puppetmaster certificate is misbehaving?
I installed the puppermaster software and than ran it, I have not done
anything with certificates on the puppetmaster, I was under the
impression this end was all automated and did not require any
configuration setup from me. Am I incorrect in my assumption here?


Brett

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

to be on the safe side:
on the puppetmaster
stop puppetmaster
rm -rf ~puppet/ssl/*
start puppetmaster


on the client do the same and retry.
if you are using the default configuration, you should not have any problem
to get it working.

good luck:)


On Mon, May 5, 2008 at 9:02 PM, udp53 <brettlists@gmail.com> wrote:
>
>
>
> On 5 May, 11:31, "Ohad Levy" <ohadl...@gmail.com> wrote:
> > do you have other clients that work?
>
> No this is the first client, I have tried another that also had the
> same problem.
>
> >
> > how did you sign the original puppetmaster? is it a self sign
> certificate?
> > could it be that you puppetmaster certificate is misbehaving?
>
> I installed the puppermaster software and than ran it, I have not done
> anything with certificates on the puppetmaster, I was under the
> impression this end was all automated and did not require any
> configuration setup from me. Am I incorrect in my assumption here?
>
>
> Brett
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Is it related to this?

http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006

I had a similar problem and I''m not sure exactly what steps cured it
but I moved to Puppet .24.4 and also the latest available Ruby
packages (on Ubuntu).

On May 5, 10:14 pm, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> to be on the safe side:
> on the puppetmaster
> stop puppetmaster
> rm -rf ~puppet/ssl/*
> start puppetmaster
>
> on the client do the same and retry.
> if you are using the default configuration, you should not have any problem
> to get it working.
>
> good luck:)
>
> On Mon, May 5, 2008 at 9:02 PM, udp53 <brettli...@gmail.com> wrote:
>
> > On 5 May, 11:31, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> > > do you have other clients that work?
>
> > No this is the first client, I have tried another that also had the
> > same problem.
>
> > > how did you sign the original puppetmaster? is it a self sign
> > certificate?
> > > could it be that you puppetmaster certificate is misbehaving?
>
> > I installed the puppermaster software and than ran it, I have not done
> > anything with certificates on the puppetmaster, I was under the
> > impression this end was all automated and did not require any
> > configuration setup from me. Am I incorrect in my assumption here?
>
> > Brett
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Clearing the SSL directory on the puppetmaster has cured the problem,
I guess something in there was corrupt, unsure what/why. It hadn''t
occured to me to remove those files as I didn''t realise that the
puppetmaster would regenerate this.

Thanks for the help much appreciated.

Brett

On 5 May, 15:14, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> to be on the safe side:
> on the puppetmaster
> stop puppetmaster
> rm -rf ~puppet/ssl/*
> start puppetmaster
>
> on the client do the same and retry.
> if you are using the default configuration, you should not have any problem
> to get it working.
>
> good luck:)
>
>
>
> On Mon, May 5, 2008 at 9:02 PM, udp53 <brettli...@gmail.com> wrote:
>
> > On 5 May, 11:31, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> > > do you have other clients that work?
>
> > No this is the first client, I have tried another that also had the
> > same problem.
>
> > > how did you sign the original puppetmaster? is it a self sign
> > certificate?
> > > could it be that you puppetmaster certificate is misbehaving?
>
> > I installed the puppermaster software and than ran it, I have not done
> > anything with certificates on the puppetmaster, I was under the
> > impression this end was all automated and did not require any
> > configuration setup from me. Am I incorrect in my assumption here?
>
> > Brett- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi all-

Ran into the aforementioned problem - the "Could not retrieve catalog:
Certificates were not trusted: certificate verify failed" error.  I
follow the steps listed here, but then after I''ve cleared the ssl
cache, I get this error from the client trying to start puppetd:

[root@ktest-rhel45-p24 puppet]#   puppetd --server myurl.domain.com --
waitforcert 30 --test
warning: peer certificate won''t be verified in this SSL session.
/usr/lib64/site_ruby/1.8/puppet/network/client/ca.rb:31:in
`request_cert'': Certificate  retrieval failed: No such file or
directory - /etc/puppet/ssl/ca/requests/ktest-rhel45-p24.4.pem
(Puppet::Error)
        from /usr/bin/puppetd:356

This appears to have been deleted when I cleared the ssl cache... but
what do I do now?

Thanks,
Daniel


On May 5, 8:13 am, udp53 <brettli...@gmail.com>
wrote:
> Clearing the SSL directory on the puppetmaster has cured the problem,
> I guess something in there was corrupt, unsure what/why. It hadn''t
> occured to me to remove those files as I didn''t realise that the
> puppetmaster would regenerate this.
>
> Thanks for the help much appreciated.
>
> Brett
>
> On 5 May, 15:14, "Ohad Levy" <ohadl...@gmail.com> wrote:
>
> > to be on the safe side:
> > on the puppetmaster
> > stop puppetmaster
> > rm -rf ~puppet/ssl/*
> > start puppetmaster
>
> > on the client do the same and retry.
> > if you are using the default configuration, you should not have any
problem
> > to get it working.
>
> > good luck:)
>
> > On Mon, May 5, 2008 at 9:02 PM, udp53 <brettli...@gmail.com>
wrote:
>
> > > On 5 May, 11:31, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> > > > do you have other clients that work?
>
> > > No this is the first client, I have tried another that also had
the
> > > same problem.
>
> > > > how did you sign the original puppetmaster? is it a self
sign
> > > certificate?
> > > > could it be that you puppetmaster certificate is
misbehaving?
>
> > > I installed the puppermaster software and than ran it, I have not
done
> > > anything with certificates on the puppetmaster, I was under the
> > > impression this end was all automated and did not require any
> > > configuration setup from me. Am I incorrect in my assumption
here?
>
> > > Brett- Hide quoted text -
>
> > - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

This is happening for me as well, but I may have another datapoint.

I''m running puppetd and puppetmaster on the same machine, but it is not
named "puppet". I am user a server= parameter in puppet.conf.
(I''m doing
  this because we already have a puppetmaster living on puppet... I''m 
experimenting with moving to a modules based setup)

I also get the self-signed certificate indication when running "openssl 
verify".

Adding "puppet" to /etc/hosts and removing the server= setting causes 
the problem to go away.

Perhaps this is just an odd corner case?

--Ian

> Hi all-
> 
> Ran into the aforementioned problem - the "Could not retrieve catalog:
> Certificates were not trusted: certificate verify failed" error.  I
> follow the steps listed here, but then after I''ve cleared the ssl
> cache, I get this error from the client trying to start puppetd:
> 
> [root@ktest-rhel45-p24 puppet]#   puppetd --server myurl.domain.com --
> waitforcert 30 --test
> warning: peer certificate won''t be verified in this SSL session.
> /usr/lib64/site_ruby/1.8/puppet/network/client/ca.rb:31:in
> `request_cert'': Certificate  retrieval failed: No such file or
> directory - /etc/puppet/ssl/ca/requests/ktest-rhel45-p24.4.pem
> (Puppet::Error)
>         from /usr/bin/puppetd:356
> 
> This appears to have been deleted when I cleared the ssl cache... but
> what do I do now?
> 
> Thanks,
> Daniel
> 
> On May 5, 8:13 am, udp53 <brettli...@gmail.com> wrote:
> 
>> Clearing the SSL directory on the puppetmaster has cured the problem,
>> I guess something in there was corrupt, unsure what/why. It
hadn''t
>> occured to me to remove those files as I didn''t realise that
the
>> puppetmaster would regenerate this.
> 
>> Thanks for the help much appreciated.
> 
>> Brett
> 
>> On 5 May, 15:14, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> 
>>> to be on the safe side:
>>> on the puppetmaster
>>> stop puppetmaster
>>> rm -rf ~puppet/ssl/*
>>> start puppetmaster
> 
>>> on the client do the same and retry.
>>> if you are using the default configuration, you should not have any
problem
>>> to get it working.
> 
>>> good luck:)
> 
>>> On Mon, May 5, 2008 at 9:02 PM, udp53 <brettli...@gmail.com>
wrote:
> 
>>>> On 5 May, 11:31, "Ohad Levy"
<ohadl...@gmail.com> wrote:
>>>>> do you have other clients that work?
> 
>>>> No this is the first client, I have tried another that also had
the
>>>> same problem.
> 
>>>>> how did you sign the original puppetmaster? is it a self
sign
>>>> certificate?
>>>>> could it be that you puppetmaster certificate is
misbehaving?
> 
>>>> I installed the puppermaster software and than ran it, I have
not done
>>>> anything with certificates on the puppetmaster, I was under the
>>>> impression this end was all automated and did not require any
>>>> configuration setup from me. Am I incorrect in my assumption
here?
> 
>>>> Brett- Hide quoted text -
> 
>>> - Show quoted text -
> 
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

One more data point. It works if I have the server= setting in 
puppet.conf or use --server on the puppetd command line.

It always fails if "puppet" is not in /etc/hosts

--Ian


Ian Duggan wrote:
> 
> This is happening for me as well, but I may have another datapoint.
> 
> I''m running puppetd and puppetmaster on the same machine, but it
is not
> named "puppet". I am user a server= parameter in puppet.conf.
(I''m doing
>   this because we already have a puppetmaster living on puppet...
I''m
> experimenting with moving to a modules based setup)
> 
> I also get the self-signed certificate indication when running
"openssl
> verify".
> 
> Adding "puppet" to /etc/hosts and removing the server= setting
causes
> the problem to go away.
> 
> Perhaps this is just an odd corner case?
> 
> --Ian
> 
> 
>> Hi all-
>>
>> Ran into the aforementioned problem - the "Could not retrieve
catalog:
>> Certificates were not trusted: certificate verify failed" error. 
I
>> follow the steps listed here, but then after I''ve cleared the
ssl
>> cache, I get this error from the client trying to start puppetd:
>>
>> [root@ktest-rhel45-p24 puppet]#   puppetd --server myurl.domain.com --
>> waitforcert 30 --test
>> warning: peer certificate won''t be verified in this SSL
session.
>> /usr/lib64/site_ruby/1.8/puppet/network/client/ca.rb:31:in
>> `request_cert'': Certificate  retrieval failed: No such file or
>> directory - /etc/puppet/ssl/ca/requests/ktest-rhel45-p24.4.pem
>> (Puppet::Error)
>>         from /usr/bin/puppetd:356
>>
>> This appears to have been deleted when I cleared the ssl cache... but
>> what do I do now?
>>
>> Thanks,
>> Daniel
>>
>> On May 5, 8:13 am, udp53 <brettli...@gmail.com> wrote:
>>
>>> Clearing the SSL directory on the puppetmaster has cured the
problem,
>>> I guess something in there was corrupt, unsure what/why. It
hadn''t
>>> occured to me to remove those files as I didn''t realise
that the
>>> puppetmaster would regenerate this.
>>> Thanks for the help much appreciated.
>>> Brett
>>> On 5 May, 15:14, "Ohad Levy" <ohadl...@gmail.com>
wrote:
>>>> to be on the safe side:
>>>> on the puppetmaster
>>>> stop puppetmaster
>>>> rm -rf ~puppet/ssl/*
>>>> start puppetmaster
>>>> on the client do the same and retry.
>>>> if you are using the default configuration, you should not have
any problem
>>>> to get it working.
>>>> good luck:)
>>>> On Mon, May 5, 2008 at 9:02 PM, udp53
<brettli...@gmail.com> wrote:
>>>>> On 5 May, 11:31, "Ohad Levy"
<ohadl...@gmail.com> wrote:
>>>>>> do you have other clients that work?
>>>>> No this is the first client, I have tried another that also
had the
>>>>> same problem.
>>>>>> how did you sign the original puppetmaster? is it a
self sign
>>>>> certificate?
>>>>>> could it be that you puppetmaster certificate is
misbehaving?
>>>>> I installed the puppermaster software and than ran it, I
have not done
>>>>> anything with certificates on the puppetmaster, I was under
the
>>>>> impression this end was all automated and did not require
any
>>>>> configuration setup from me. Am I incorrect in my
assumption here?
>>>>> Brett- Hide quoted text -
>>>> - Show quoted text -
> 
> > 
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---