CraftyTech
2010-Jul-26 14:00 UTC
[Puppet Users] certificate verified failed -- After upgrade/rollback from 2.6
Hello All,
So it turns out that after the upgrade and subsequent rollback
from 2.6, I can''t get clients to connect to puppetserver anymore.
Something got broken with the ssl and I''m having a tough time
identifying the problem. So far, I''ve tried puppetca --clean all (and
hostname specific), I even deleted the /etc/puppet/ssl on both client
and server, and still verified failed. These are the steps that I
follow, in order to test:
On server: puppetca --clean hostname
On client: puppetd -t --waitforcert 20
On server: puppetca -l (it shows the client''s FQDN)
On server: puppetca -s "client''s FQDN"
On client: certificate verified failed !!
Here''s a sample trace/debug:
puppetd -t --trace --debug
debug: Failed to load library ''selinux'' for feature
''selinux''
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
not exist
debug: Puppet::Type::User::ProviderLdap: true value when expecting
false
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/
puppet/run]
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
puppet/ssl]
debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
puppet/state]
debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
puppet/state]
debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/public_keys/
henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/
puppet/ ssl/
public_keys]
debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
ssl]
debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/
state]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
puppet]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
puppet/ssl]
debug: /File[/etc/puppet/ssl/private_keys/
henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/
puppet /ssl/
private_keys]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/certs/henry_medina.dev.instinet.com.pem]:
Autorequiring File[/etc/puppet/ssl/
ce rts]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
ssl]
debug: Finishing transaction -608024118 with 0 changes
debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41
UTC 2015
debug: Using cached certificate for henry_medina.dev.instinet.com,
good until Fri Jul 24 13:39:58 UTC 2015
notice: Ignoring --listen on onetime run
debug: Loaded state in 0.68 seconds
debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41
UTC 2015
debug: Using cached certificate for henry_medina.dev.instinet.com,
good until Fri Jul 24 13:39:58 UTC 2015
/usr/lib/ruby/1.8/net/http.rb:586:in `connect''
/usr/lib/ruby/1.8/net/http.rb:586:in `connect''
/usr/lib/ruby/1.8/net/http.rb:553:in `do_start''
/usr/lib/ruby/1.8/net/http.rb:542:in `start''
/usr/lib/ruby/1.8/net/http.rb:1035:in `request''
/usr/lib/ruby/1.8/net/http.rb:772:in `get''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in `ssl_store''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
`cert_setup''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in
`http_instance''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in
`retrieve_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark''
/usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/
core_ext/benchmark.rb:10:in `realtime''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in
`retrieve_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/1.8/sync.rb:230:in `synchronize''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in
`onetime''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetd:159
err: Could not retrieve catalog from remote server: certificate verify
failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
Any ideas guys?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
mohit chawla
2010-Jul-26 14:11 UTC
Re: [Puppet Users] certificate verified failed -- After upgrade/rollback from 2.6
I can think of two things - date/time mismatch at server & client. And why aren''t the certificates in /var/lib/puppet (for puppetmaster) ? On Mon, Jul 26, 2010 at 7:30 PM, CraftyTech <hmmedina@gmail.com> wrote:> Hello All, > > So it turns out that after the upgrade and subsequent rollback > from 2.6, I can''t get clients to connect to puppetserver anymore. > Something got broken with the ssl and I''m having a tough time > identifying the problem. So far, I''ve tried puppetca --clean all (and > hostname specific), I even deleted the /etc/puppet/ssl on both client > and server, and still verified failed. These are the steps that I > follow, in order to test: > On server: puppetca --clean hostname > On client: puppetd -t --waitforcert 20 > On server: puppetca -l (it shows the client''s FQDN) > On server: puppetca -s "client''s FQDN" > On client: certificate verified failed !! > > Here''s a sample trace/debug: > > puppetd -t --trace --debug > debug: Failed to load library ''selinux'' for feature ''selinux'' > debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does > not exist > debug: Puppet::Type::User::ProviderLdap: true value when expecting > false > debug: Puppet::Type::User::ProviderPw: file pw does not exist > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > dscl does not exist > debug: Failed to load library ''ldap'' for feature ''ldap'' > debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/ > puppet/run] > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > puppet/state] > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > puppet/state] > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > puppet/ssl/certs] > debug: /File[/etc/puppet/ssl/public_keys/ > henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/ > puppet/ ssl/ > public_keys] > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > state] > debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > puppet] > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: /File[/etc/puppet/ssl/private_keys/ > henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/ > puppet /ssl/ > private_keys] > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring > File[/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl/certs/henry_medina.dev.instinet.com.pem]: > Autorequiring File[/etc/puppet/ssl/ > ce rts] > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > ssl] > debug: Finishing transaction -608024118 with 0 changes > debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41 > UTC 2015 > debug: Using cached certificate for henry_medina.dev.instinet.com, > good until Fri Jul 24 13:39:58 UTC 2015 > notice: Ignoring --listen on onetime run > debug: Loaded state in 0.68 seconds > debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41 > UTC 2015 > debug: Using cached certificate for henry_medina.dev.instinet.com, > good until Fri Jul 24 13:39:58 UTC 2015 > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' > /usr/lib/ruby/1.8/net/http.rb:542:in `start'' > /usr/lib/ruby/1.8/net/http.rb:1035:in `request'' > /usr/lib/ruby/1.8/net/http.rb:772:in `get'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in > `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in `ssl_store'' > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in > `cert_setup'' > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in > `http_instance'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in > `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in > `retrieve_catalog'' > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark'' > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/ > core_ext/benchmark.rb:10:in `realtime'' > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in > `retrieve_catalog'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' > /usr/lib/ruby/1.8/sync.rb:230:in `synchronize'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in > `onetime'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in > `exit_on_fail'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' > /usr/sbin/puppetd:159 > err: Could not retrieve catalog from remote server: certificate verify > failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > > Any ideas guys? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
CraftyTech
2010-Jul-26 15:31 UTC
[Puppet Users] Re: certificate verified failed -- After upgrade/rollback from 2.6
The times are in Sync via NTP. The SSL are in default location as I
didn''t define it in puppet.conf. I basically deleted /etc/puppet/
ssl, /var/lib/puppet/ssl, Did: puppetca --revoke --all, puppetca --
clean --all... and still "certificate verify failed" !!. At this
point, I''m willing to start from scratch. Is there anything else I
can do to reset my ssl config? This is what''s running now on
puppetmaster:
puppetmasterd --genconfig | grep ssl
# ldapssl = false
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
# The default value is ''$confdir/ssl''.
ssldir = /etc/puppet/ssl
# The default value is ''$ssldir/private_keys''.
privatekeydir = /etc/puppet/ssl/private_keys
# The default value is ''$ssldir/csr_$certname.pem''.
hostcsr = /etc/puppet/ssl/csr_hostname.dev.hostname-fqdn.com.pem
hostpubkey = /etc/puppet/ssl/public_keys/hostname.dev.hostname-
fqdn.com.pem
# The default value is ''$ssldir/public_keys''.
publickeydir = /etc/puppet/ssl/public_keys
# The default value is ''$ssldir/private''.
privatedir = /etc/puppet/ssl/private
hostcert = /etc/puppet/ssl/certs/hostname.dev.hostname-
fqdn.com.pem
localcacert = /etc/puppet/ssl/certs/ca.pem
# The default value is ''$ssldir/certs''.
certdir = /etc/puppet/ssl/certs
# The default value is ''$ssldir/certificate_requests''.
requestdir = /etc/puppet/ssl/certificate_requests
passfile = /etc/puppet/ssl/private/password
hostprivkey = /etc/puppet/ssl/private_keys/hostname-FQDN.com.pem
# The default value is ''$ssldir/crl.pem''.
hostcrl = /etc/puppet/ssl/crl.pem
capass = /etc/puppet/ssl/ca/private/ca.pass
# The default value is ''$ssldir/ca''.
cadir = /etc/puppet/ssl/ca
capub = /etc/puppet/ssl/ca/ca_pub.pem
csrdir = /etc/puppet/ssl/ca/requests
serial = /etc/puppet/ssl/ca/serial
cacert = /etc/puppet/ssl/ca/ca_crt.pem
cacrl = /etc/puppet/ssl/ca/ca_crl.pem
signeddir = /etc/puppet/ssl/ca/signed
cert_inventory = /etc/puppet/ssl/ca/inventory.txt
cakey = /etc/puppet/ssl/ca/ca_key.pem
caprivatedir = /etc/puppet/ssl/ca/private
Thanks,
HEnry
On Jul 26, 10:11 am, mohit chawla <mohit.chawla.bin...@gmail.com>
wrote:> I can think of two things - date/time mismatch at server & client. And
why
> aren''t the certificates in /var/lib/puppet (for puppetmaster) ?
>
>
>
> On Mon, Jul 26, 2010 at 7:30 PM, CraftyTech <hmmed...@gmail.com>
wrote:
> > Hello All,
>
> > So it turns out that after the upgrade and subsequent rollback
> > from 2.6, I can''t get clients to connect to puppetserver
anymore.
> > Something got broken with the ssl and I''m having a tough time
> > identifying the problem. So far, I''ve tried puppetca --clean
all (and
> > hostname specific), I even deleted the /etc/puppet/ssl on both client
> > and server, and still verified failed. These are the steps that I
> > follow, in order to test:
> > On server: puppetca --clean hostname
> > On client: puppetd -t --waitforcert 20
> > On server: puppetca -l (it shows the client''s FQDN)
> > On server: puppetca -s "client''s FQDN"
> > On client: certificate verified failed !!
>
> > Here''s a sample trace/debug:
>
> > puppetd -t --trace --debug
> > debug: Failed to load library ''selinux'' for feature
''selinux''
> > debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
> > not exist
> > debug: Puppet::Type::User::ProviderLdap: true value when expecting
> > false
> > debug: Puppet::Type::User::ProviderPw: file pw does not exist
> > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
> > dscl does not exist
> > debug: Failed to load library ''ldap'' for feature
''ldap''
> > debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/
> > puppet/run]
> > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
> > puppet/ssl]
> > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
> > puppet/state]
> > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
> > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
> > puppet/state]
> > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
> > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
> > puppet/ssl/certs]
> > debug: /File[/etc/puppet/ssl/public_keys/
> > henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/
> > puppet/ ssl/
> > public_keys]
> > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
> > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
> > ssl]
> > debug: /File[/var/puppet/state/graphs]: Autorequiring
File[/var/puppet/
> > state]
> > debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
> > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
> > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
> > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
> > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
> > puppet]
> > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
> > puppet/ssl]
> > debug: /File[/etc/puppet/ssl/private_keys/
> > henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/
> > puppet /ssl/
> > private_keys]
> > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
> > File[/etc/puppet/ssl]
> > debug: /File[/etc/puppet/ssl/certs/henry_medina.dev.instinet.com.pem]:
> > Autorequiring File[/etc/puppet/ssl/
> > ce rts]
> > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
> > ssl]
> > debug: Finishing transaction -608024118 with 0 changes
> > debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41
> > UTC 2015
> > debug: Using cached certificate for henry_medina.dev.instinet.com,
> > good until Fri Jul 24 13:39:58 UTC 2015
> > notice: Ignoring --listen on onetime run
> > debug: Loaded state in 0.68 seconds
> > debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41
> > UTC 2015
> > debug: Using cached certificate for henry_medina.dev.instinet.com,
> > good until Fri Jul 24 13:39:58 UTC 2015
> > /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
> > /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
> > /usr/lib/ruby/1.8/net/http.rb:553:in `do_start''
> > /usr/lib/ruby/1.8/net/http.rb:542:in `start''
> > /usr/lib/ruby/1.8/net/http.rb:1035:in `request''
> > /usr/lib/ruby/1.8/net/http.rb:772:in `get''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in
`find''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
> > `find''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
> > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in
`ssl_store''
> > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
> > `cert_setup''
> > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in
> > `http_instance''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in
`network''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in
`find''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
> > `find''
> > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
> > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in
> > `retrieve_catalog''
> > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark''
> > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/
> > core_ext/benchmark.rb:10:in `realtime''
> > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark''
> > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in
> > `retrieve_catalog''
> > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run''
> > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
> > /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in
`lock''
> > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
> > /usr/lib/ruby/1.8/sync.rb:230:in `synchronize''
> > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
> > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in
`with_client''
> > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run''
> > /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in
> > `onetime''
> > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`send''
> > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`run_command''
> > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in
`run''
> > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
> > `exit_on_fail''
> > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in
`run''
> > /usr/sbin/puppetd:159
> > err: Could not retrieve catalog from remote server: certificate verify
> > failed
> > warning: Not using cache on failed catalog
> > err: Could not retrieve catalog; skipping run
>
> > Any ideas guys?
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@google
groups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
CraftyTech
2010-Jul-26 15:41 UTC
[Puppet Users] Re: certificate verified failed -- After upgrade/rollback from 2.6
Here''s the trace: puppetd -t --trace --debug debug: Failed to load library ''selinux'' for feature ''selinux'' debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ dscl does not exist debug: Failed to load library ''ldap'' for feature ''ldap'' debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ puppet/state] debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ state] debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/certs/client.dev.domain.com.pem]: Autorequiring File[/etc/puppet/ssl/certs] debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/ puppet/run] debug: /File[/etc/puppet/ssl/private_keys/client.dev.domain.com.pem]: Autorequiring File[/etc/puppet/ssl/private_keys] debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File[/etc/puppet/ssl] debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ puppet] debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ puppet/state] debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/etc/puppet/ssl/public_keys/client.dev.domain.com.pem]: Autorequiring File[/etc/puppet/ssl/public_keys] debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ puppet/ssl/certs] debug: Finishing transaction -608390318 with 0 changes debug: Using cached certificate for ca, good until Fri Jul 24 15:20:05 UTC 2015 debug: Using cached certificate for client.dev.domain.com, good until Fri Jul 24 15:21:11 UTC 2015 debug: Loaded state in 1.08 seconds debug: Using cached certificate for ca, good until Fri Jul 24 15:20:05 UTC 2015 debug: Using cached certificate for client.dev.domain.com, good until Fri Jul 24 15:21:11 UTC 2015 /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' /usr/lib/ruby/1.8/net/http.rb:542:in `start'' /usr/lib/ruby/1.8/net/http.rb:1035:in `request'' /usr/lib/ruby/1.8/net/http.rb:772:in `get'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in `ssl_store'' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in `http_instance'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in `retrieve_catalog'' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark'' /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/ core_ext/benchmark.rb:10:in `realtime'' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in `retrieve_catalog'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' /usr/lib/ruby/1.8/sync.rb:230:in `synchronize'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' /usr/sbin/puppetd:159 err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run On Jul 26, 11:31 am, CraftyTech <hmmed...@gmail.com> wrote:> The times are in Sync via NTP. The SSL are in default location as I > didn''t define it in puppet.conf. I basically deleted /etc/puppet/ > ssl, /var/lib/puppet/ssl, Did: puppetca --revoke --all, puppetca -- > clean --all... and still "certificate verify failed" !!. At this > point, I''m willing to start from scratch. Is there anything else I > can do to reset my ssl config? This is what''s running now on > puppetmaster: > puppetmasterd --genconfig | grep ssl > # ldapssl = false > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > # The default value is ''$confdir/ssl''. > ssldir = /etc/puppet/ssl > # The default value is ''$ssldir/private_keys''. > privatekeydir = /etc/puppet/ssl/private_keys > # The default value is ''$ssldir/csr_$certname.pem''. > hostcsr = /etc/puppet/ssl/csr_hostname.dev.hostname-fqdn.com.pem > hostpubkey = /etc/puppet/ssl/public_keys/hostname.dev.hostname- > fqdn.com.pem > # The default value is ''$ssldir/public_keys''. > publickeydir = /etc/puppet/ssl/public_keys > # The default value is ''$ssldir/private''. > privatedir = /etc/puppet/ssl/private > hostcert = /etc/puppet/ssl/certs/hostname.dev.hostname- > fqdn.com.pem > localcacert = /etc/puppet/ssl/certs/ca.pem > # The default value is ''$ssldir/certs''. > certdir = /etc/puppet/ssl/certs > # The default value is ''$ssldir/certificate_requests''. > requestdir = /etc/puppet/ssl/certificate_requests > passfile = /etc/puppet/ssl/private/password > hostprivkey = /etc/puppet/ssl/private_keys/hostname-FQDN.com.pem > # The default value is ''$ssldir/crl.pem''. > hostcrl = /etc/puppet/ssl/crl.pem > capass = /etc/puppet/ssl/ca/private/ca.pass > # The default value is ''$ssldir/ca''. > cadir = /etc/puppet/ssl/ca > capub = /etc/puppet/ssl/ca/ca_pub.pem > csrdir = /etc/puppet/ssl/ca/requests > serial = /etc/puppet/ssl/ca/serial > cacert = /etc/puppet/ssl/ca/ca_crt.pem > cacrl = /etc/puppet/ssl/ca/ca_crl.pem > signeddir = /etc/puppet/ssl/ca/signed > cert_inventory = /etc/puppet/ssl/ca/inventory.txt > cakey = /etc/puppet/ssl/ca/ca_key.pem > caprivatedir = /etc/puppet/ssl/ca/private > > Thanks, > > HEnry > > On Jul 26, 10:11 am, mohit chawla <mohit.chawla.bin...@gmail.com> > wrote: > > > > > I can think of two things - date/time mismatch at server & client. And why > > aren''t the certificates in /var/lib/puppet (for puppetmaster) ? > > > On Mon, Jul 26, 2010 at 7:30 PM, CraftyTech <hmmed...@gmail.com> wrote: > > > Hello All, > > > > So it turns out that after the upgrade and subsequent rollback > > > from 2.6, I can''t get clients to connect to puppetserver anymore. > > > Something got broken with the ssl and I''m having a tough time > > > identifying the problem. So far, I''ve tried puppetca --clean all (and > > > hostname specific), I even deleted the /etc/puppet/ssl on both client > > > and server, and still verified failed. These are the steps that I > > > follow, in order to test: > > > On server: puppetca --clean hostname > > > On client: puppetd -t --waitforcert 20 > > > On server: puppetca -l (it shows the client''s FQDN) > > > On server: puppetca -s "client''s FQDN" > > > On client: certificate verified failed !! > > > > Here''s a sample trace/debug: > > > > puppetd -t --trace --debug > > > debug: Failed to load library ''selinux'' for feature ''selinux'' > > > debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does > > > not exist > > > debug: Puppet::Type::User::ProviderLdap: true value when expecting > > > false > > > debug: Puppet::Type::User::ProviderPw: file pw does not exist > > > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > > > dscl does not exist > > > debug: Failed to load library ''ldap'' for feature ''ldap'' > > > debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/ > > > puppet/run] > > > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > > > puppet/ssl] > > > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > > > puppet/state] > > > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > > > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > > > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > > > puppet/state] > > > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > > > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > > > puppet/ssl/certs] > > > debug: /File[/etc/puppet/ssl/public_keys/ > > > henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/ > > > puppet/ ssl/ > > > public_keys] > > > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > > > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > > > ssl] > > > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > > > state] > > > debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] > > > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > > > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > > > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > > > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > > > puppet] > > > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > > > puppet/ssl] > > > debug: /File[/etc/puppet/ssl/private_keys/ > > > henry_medina.dev.instinet.com.pem]: Autorequiring File[/etc/ > > > puppet /ssl/ > > > private_keys] > > > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring > > > File[/etc/puppet/ssl] > > > debug: /File[/etc/puppet/ssl/certs/henry_medina.dev.instinet.com.pem]: > > > Autorequiring File[/etc/puppet/ssl/ > > > ce rts] > > > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > > > ssl] > > > debug: Finishing transaction -608024118 with 0 changes > > > debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41 > > > UTC 2015 > > > debug: Using cached certificate for henry_medina.dev.instinet.com, > > > good until Fri Jul 24 13:39:58 UTC 2015 > > > notice: Ignoring --listen on onetime run > > > debug: Loaded state in 0.68 seconds > > > debug: Using cached certificate for ca, good until Fri Jul 24 13:14:41 > > > UTC 2015 > > > debug: Using cached certificate for henry_medina.dev.instinet.com, > > > good until Fri Jul 24 13:39:58 UTC 2015 > > > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > > > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > > > /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' > > > /usr/lib/ruby/1.8/net/http.rb:542:in `start'' > > > /usr/lib/ruby/1.8/net/http.rb:1035:in `request'' > > > /usr/lib/ruby/1.8/net/http.rb:772:in `get'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in > > > `find'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in `ssl_store'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in > > > `cert_setup'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in > > > `http_instance'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in > > > `find'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in > > > `retrieve_catalog'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark'' > > > /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/ > > > core_ext/benchmark.rb:10:in `realtime'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in > > > `retrieve_catalog'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' > > > /usr/lib/ruby/1.8/sync.rb:230:in `synchronize'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in > > > `onetime'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in > > > `exit_on_fail'' > > > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' > > > /usr/sbin/puppetd:159 > > > err: Could not retrieve catalog from remote server: certificate verify > > > failed > > > warning: Not using cache on failed catalog > > > err: Could not retrieve catalog; skipping run > > > > Any ideas guys? > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@google groups.com> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
CraftyTech
2010-Jul-26 15:56 UTC
[Puppet Users] Re: certificate verified failed -- After upgrade/rollback from 2.6
If I query the puppet port via SSL:
openssl s_client -connect server.dev.domain.com:8140
CONNECTED(00000003)
depth=1 /CN=ca
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=server.dev.domain.com
i:/CN=ca
1 s:/CN=ca
i:/CN=ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe
Fw0xMDA3MjUxNDUyMTlaFw0xNTA3MjQxNDUyMTlaMCIxIDAeBgNVBAMMF2hwanMw
MS5kZXYuaW5zdGluZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx
rlx6QM7Suzce2AMQixSxh+GyuiGDXd62Z45+ClhS5IRjRawl1ncy3av/9HWF+B4W
g35ZlYXTrQcXZhmd+HOcMwMuIMZzug8Z+wR912wagsZVWI7FuvfMdYDJYxbS8CbW
S9OpD0fuehWF1fH8wFAxsjajCFvkU0WhcqcNUsTgcQIDAQABo4HlMIHiMDgGCWCG
SAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR4e/0nJKJU5+KxVMMxj/F2u/cr
CTALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
BgEFBQcDBDBDBgNVHREEPDA6ggZwdXBwZXSCF2hwanMwMS5kZXYuaW5zdGluZXQu
Y29tghdwdXBwZXQuZGV2Lmluc3RpbmV0LmNvbTANBgkqhkiG9w0BAQUFAAOBgQB4
+DXf/Sa2EHvu3vhQllxSYW+g/UzjieDAZMFBFSXy9QKnOdUCWmzUbtYNWcG/1Tjx
QCZbR3s5Y6BKV+fwi5515/Ao8I5ZlReo0NsS3kR4u/pn6V5st2/f4uYHX+eB2Zlf
BtWp/t9g0P/XKayYx7CYlyBjmc4CAxVfYs+OhDDlTg=-----END CERTIFICATE-----
subject=/CN=server.dev.domain.com
issuer=/CN=ca
---
No client certificate CA names sent
---
SSL handshake has read 1765 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
BC7BD6BE308985441951F5CE8FA701DF5E01EAE4326B05FF0ACA6AA9E78AC2E3
Session-ID-ctx:
Master-Key:
9B417072526ACE3A1477212CA8384933098F2987AAA1AE93288098088CA96163EFF1F0F2ED9946BF3B55ED45A6E5
6E31
Key-Arg : None
Krb5 Principal: None
Start Time: 1280159446
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
closed
On Jul 26, 11:41 am, CraftyTech <hmmed...@gmail.com>
wrote:> Here''s the trace:
>
> puppetd -t --trace --debug
> debug: Failed to load library ''selinux'' for feature
''selinux''
> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
> not exist
> debug: Puppet::Type::User::ProviderLdap: true value when expecting
> false
> debug: Puppet::Type::User::ProviderPw: file pw does not exist
> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
> dscl does not exist
> debug: Failed to load library ''ldap'' for feature
''ldap''
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
> puppet/state]
> debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/
> state]
> debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
> debug: /File[/etc/puppet/ssl/certs/client.dev.domain.com.pem]:
> Autorequiring File[/etc/puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/
> puppet/run]
> debug: /File[/etc/puppet/ssl/private_keys/client.dev.domain.com.pem]:
> Autorequiring File[/etc/puppet/ssl/private_keys]
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
> puppet]
> debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
> debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
> puppet/state]
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
> puppet/ssl]
> debug: /File[/etc/puppet/ssl/public_keys/client.dev.domain.com.pem]:
> Autorequiring File[/etc/puppet/ssl/public_keys]
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
> puppet/ssl]
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
> puppet/ssl/certs]
> debug: Finishing transaction -608390318 with 0 changes
> debug: Using cached certificate for ca, good until Fri Jul 24 15:20:05
> UTC 2015
> debug: Using cached certificate for client.dev.domain.com, good until
> Fri Jul 24 15:21:11 UTC 2015
> debug: Loaded state in 1.08 seconds
> debug: Using cached certificate for ca, good until Fri Jul 24 15:20:05
> UTC 2015
> debug: Using cached certificate for client.dev.domain.com, good until
> Fri Jul 24 15:21:11 UTC 2015
> /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
> /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
> /usr/lib/ruby/1.8/net/http.rb:553:in `do_start''
> /usr/lib/ruby/1.8/net/http.rb:542:in `start''
> /usr/lib/ruby/1.8/net/http.rb:1035:in `request''
> /usr/lib/ruby/1.8/net/http.rb:772:in `get''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
> `find''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
> /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:208:in `ssl_store''
> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
> `cert_setup''
> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in
> `http_instance''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in
`network''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in
> `find''
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:106:in
> `retrieve_catalog''
> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark''
> /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/
> core_ext/benchmark.rb:10:in `realtime''
> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark''
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:105:in
> `retrieve_catalog''
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:162:in `run''
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
> /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock''
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
> /usr/lib/ruby/1.8/sync.rb:230:in `synchronize''
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client''
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run''
> /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in
> `onetime''
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send''
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`run_command''
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
> `exit_on_fail''
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
> /usr/sbin/puppetd:159
> err: Could not retrieve catalog from remote server: certificate verify
> failed
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
> On Jul 26, 11:31 am, CraftyTech <hmmed...@gmail.com> wrote:
>
>
>
> > The times are in Sync via NTP. The SSL are in default location as I
> > didn''t define it in puppet.conf. I basically deleted
/etc/puppet/
> > ssl, /var/lib/puppet/ssl, Did: puppetca --revoke --all, puppetca --
> > clean --all... and still "certificate verify failed" !!. At
this
> > point, I''m willing to start from scratch. Is there anything
else I
> > can do to reset my ssl config? This is what''s running now on
> > puppetmaster:
> > puppetmasterd --genconfig | grep ssl
> > # ldapssl = false
> > ssl_client_header = SSL_CLIENT_S_DN
> > ssl_client_verify_header = SSL_CLIENT_VERIFY
> > # The default value is ''$confdir/ssl''.
> > ssldir = /etc/puppet/ssl
> > # The default value is ''$ssldir/private_keys''.
> > privatekeydir = /etc/puppet/ssl/private_keys
> > # The default value is
''$ssldir/csr_$certname.pem''.
> > hostcsr = /etc/puppet/ssl/csr_hostname.dev.hostname-fqdn.com.pem
> > hostpubkey = /etc/puppet/ssl/public_keys/hostname.dev.hostname-
> > fqdn.com.pem
> > # The default value is ''$ssldir/public_keys''.
> > publickeydir = /etc/puppet/ssl/public_keys
> > # The default value is ''$ssldir/private''.
> > privatedir = /etc/puppet/ssl/private
> > hostcert = /etc/puppet/ssl/certs/hostname.dev.hostname-
> > fqdn.com.pem
> > localcacert = /etc/puppet/ssl/certs/ca.pem
> > # The default value is ''$ssldir/certs''.
> > certdir = /etc/puppet/ssl/certs
> > # The default value is
''$ssldir/certificate_requests''.
> > requestdir = /etc/puppet/ssl/certificate_requests
> > passfile = /etc/puppet/ssl/private/password
> > hostprivkey = /etc/puppet/ssl/private_keys/hostname-FQDN.com.pem
> > # The default value is ''$ssldir/crl.pem''.
> > hostcrl = /etc/puppet/ssl/crl.pem
> > capass = /etc/puppet/ssl/ca/private/ca.pass
> > # The default value is ''$ssldir/ca''.
> > cadir = /etc/puppet/ssl/ca
> > capub = /etc/puppet/ssl/ca/ca_pub.pem
> > csrdir = /etc/puppet/ssl/ca/requests
> > serial = /etc/puppet/ssl/ca/serial
> > cacert = /etc/puppet/ssl/ca/ca_crt.pem
> > cacrl = /etc/puppet/ssl/ca/ca_crl.pem
> > signeddir = /etc/puppet/ssl/ca/signed
> > cert_inventory = /etc/puppet/ssl/ca/inventory.txt
> > cakey = /etc/puppet/ssl/ca/ca_key.pem
> > caprivatedir = /etc/puppet/ssl/ca/private
>
> > Thanks,
>
> > HEnry
>
> > On Jul 26, 10:11 am, mohit chawla
<mohit.chawla.bin...@gmail.com>
> > wrote:
>
> > > I can think of two things - date/time mismatch at server &
client. And why
> > > aren''t the certificates in /var/lib/puppet (for
puppetmaster) ?
>
> > > On Mon, Jul 26, 2010 at 7:30 PM, CraftyTech
<hmmed...@gmail.com> wrote:
> > > > Hello All,
>
> > > > So it turns out that after the upgrade and subsequent
rollback
> > > > from 2.6, I can''t get clients to connect to
puppetserver anymore.
> > > > Something got broken with the ssl and I''m having a
tough time
> > > > identifying the problem. So far, I''ve tried
puppetca --clean all (and
> > > > hostname specific), I even deleted the /etc/puppet/ssl on
both client
> > > > and server, and still verified failed. These are the steps
that I
> > > > follow, in order to test:
> > > > On server: puppetca --clean hostname
> > > > On client: puppetd -t --waitforcert 20
> > > > On server: puppetca -l (it shows the client''s FQDN)
> > > > On server: puppetca -s "client''s FQDN"
> > > > On client: certificate verified failed !!
>
> > > > Here''s a sample trace/debug:
>
> > > > puppetd -t --trace --debug
> > > > debug: Failed to load library ''selinux''
for feature ''selinux''
> > > > debug: Puppet::Type::User::ProviderUser_role_add: file
roleadd does
> > > > not exist
> > > > debug: Puppet::Type::User::ProviderLdap: true value when
expecting
> > > > false
> > > > debug: Puppet::Type::User::ProviderPw: file pw does not
exist
> > > > debug: Puppet::Type::User::ProviderDirectoryservice: file
/usr/bin/
> > > > dscl does not exist
> > > > debug: Failed to load library ''ldap'' for
feature ''ldap''
> > > > debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring
File[/var/
> > > > puppet/run]
> > > > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring
File[/etc/
> > > > puppet/ssl]
> > > > debug: /File[/var/puppet/state/classes.txt]: Autorequiring
File[/var/
> > > > puppet/state]
> > > > debug: /File[/var/puppet/log]: Autorequiring
File[/var/puppet]
> > > > debug: /File[/etc/puppet/ssl]: Autorequiring
File[/etc/puppet]
> > > > debug: /File[/var/puppet/state/state.yaml]: Autorequiring
File[/var/
> > > > puppet/state]
> > > > debug: /File[/var/puppet/client_yaml]: Autorequiring
File[/var/puppet]
> > > > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
File[/etc/
> > > > puppet/ssl/certs]
> > > > debug:...
>
> read more »
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
David Dyer-Bennet
2010-Jul-26 16:40 UTC
Re: [Puppet Users] certificate verified failed -- After upgrade/rollback from 2.6
On Mon, July 26, 2010 09:00, CraftyTech wrote:> Hello All, > > So it turns out that after the upgrade and subsequent rollback > from 2.6, I can''t get clients to connect to puppetserver anymore. > Something got broken with the ssl and I''m having a tough time > identifying the problem. So far, I''ve tried puppetca --clean all (and > hostname specific), I even deleted the /etc/puppet/ssl on both client > and server, and still verified failed. These are the steps that I > follow, in order to test: > On server: puppetca --clean hostname > On client: puppetd -t --waitforcert 20 > On server: puppetca -l (it shows the client''s FQDN) > On server: puppetca -s "client''s FQDN" > On client: certificate verified failed !!I''m getting the same or a very similar problem, with a Centos 5.5 clean install from RPMs (puppet 0.25.5).> err: Could not retrieve catalog from remote server: certificate verify > failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping runIn particular, I''m always ending up with this situation. See my posts late last week for my descriptions, but it sounds like probably the same thing somewhow. I''ve also manually deleted the ssl directory, and even the entire /etc/puppet and /var/lib/puppet directories, and removed and reinstalled the software packages. Sort-of glad it''s not just me (though sorry you''re caught in this mess). -- David Dyer-Bennet, dd-b@dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
CraftyTech
2010-Jul-26 16:53 UTC
[Puppet Users] Re: certificate verified failed -- After upgrade/rollback from 2.6
Yeah.. this is a pretty funky situation.. So recap, I covered all the basics of Puppet/SSL connectivity: 1) times are synced via NTP 2) All SSL values are default 3) SElinux and iptables are off 4) client/server are on the same network 5) all hostnames resolve to fqdn from both dns/files All I did was upgrade and then rollback from 2.6, but I''m guessing that something got changed at the SSL level (I hope I''m just overlooking something) and I can''t tell what it is. At this point, I feel like I''d need to rebuild the whole server from scratch, but I was hoping someone had a silver bullet for me to use... On Jul 26, 12:40 pm, "David Dyer-Bennet" <d...@dd-b.net> wrote:> On Mon, July 26, 2010 09:00, CraftyTech wrote: > > Hello All, > > > So it turns out that after the upgrade and subsequent rollback > > from 2.6, I can''t get clients to connect to puppetserver anymore. > > Something got broken with the ssl and I''m having a tough time > > identifying the problem. So far, I''ve tried puppetca --clean all (and > > hostname specific), I even deleted the /etc/puppet/ssl on both client > > and server, and still verified failed. These are the steps that I > > follow, in order to test: > > On server: puppetca --clean hostname > > On client: puppetd -t --waitforcert 20 > > On server: puppetca -l (it shows the client''s FQDN) > > On server: puppetca -s "client''s FQDN" > > On client: certificate verified failed !! > > I''m getting the same or a very similar problem, with a Centos 5.5 clean > install from RPMs (puppet 0.25.5). > > > err: Could not retrieve catalog from remote server: certificate verify > > failed > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > In particular, I''m always ending up with this situation. > > See my posts late last week for my descriptions, but it sounds like > probably the same thing somewhow. I''ve also manually deleted the ssl > directory, and even the entire /etc/puppet and /var/lib/puppet > directories, and removed and reinstalled the software packages. > > Sort-of glad it''s not just me (though sorry you''re caught in this mess). > -- > David Dyer-Bennet, d...@dd-b.net;http://dd-b.net/ > Snapshots:http://dd-b.net/dd-b/SnapshotAlbum/data/ > Photos:http://dd-b.net/photography/gallery/ > Dragaera:http://dragaera.info-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
CraftyTech
2010-Jul-26 17:12 UTC
[Puppet Users] Re: certificate verified failed -- After upgrade/rollback from 2.6
Got It !!! Here''s the thing: All the steps I followed were well and good, but I needed to actually stop puppetmasterd, before they could actually work (wasn''t the case in the past). So there you have it newbies... On Jul 26, 12:53 pm, CraftyTech <hmmed...@gmail.com> wrote:> Yeah.. this is a pretty funky situation.. So recap, I covered all the > basics of Puppet/SSL connectivity: > > 1) times are synced via NTP > 2) All SSL values are default > 3) SElinux and iptables are off > 4) client/server are on the same network > 5) all hostnames resolve to fqdn from both dns/files > > All I did was upgrade and then rollback from 2.6, but I''m guessing > that something got changed at the SSL level (I hope I''m just > overlooking something) and I can''t tell what it is. At this point, I > feel like I''d need to rebuild the whole server from scratch, but I was > hoping someone had a silver bullet for me to use... > > On Jul 26, 12:40 pm, "David Dyer-Bennet" <d...@dd-b.net> wrote: > > > > > On Mon, July 26, 2010 09:00, CraftyTech wrote: > > > Hello All, > > > > So it turns out that after the upgrade and subsequent rollback > > > from 2.6, I can''t get clients to connect to puppetserver anymore. > > > Something got broken with the ssl and I''m having a tough time > > > identifying the problem. So far, I''ve tried puppetca --clean all (and > > > hostname specific), I even deleted the /etc/puppet/ssl on both client > > > and server, and still verified failed. These are the steps that I > > > follow, in order to test: > > > On server: puppetca --clean hostname > > > On client: puppetd -t --waitforcert 20 > > > On server: puppetca -l (it shows the client''s FQDN) > > > On server: puppetca -s "client''s FQDN" > > > On client: certificate verified failed !! > > > I''m getting the same or a very similar problem, with a Centos 5.5 clean > > install from RPMs (puppet 0.25.5). > > > > err: Could not retrieve catalog from remote server: certificate verify > > > failed > > > warning: Not using cache on failed catalog > > > err: Could not retrieve catalog; skipping run > > > In particular, I''m always ending up with this situation. > > > See my posts late last week for my descriptions, but it sounds like > > probably the same thing somewhow. I''ve also manually deleted the ssl > > directory, and even the entire /etc/puppet and /var/lib/puppet > > directories, and removed and reinstalled the software packages. > > > Sort-of glad it''s not just me (though sorry you''re caught in this mess). > > -- > > David Dyer-Bennet, d...@dd-b.net;http://dd-b.net/ > > Snapshots:http://dd-b.net/dd-b/SnapshotAlbum/data/ > > Photos:http://dd-b.net/photography/gallery/ > > Dragaera:http://dragaera.info-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
David Dyer-Bennet
2010-Jul-26 18:20 UTC
Re: [Puppet Users] Re: certificate verified failed -- After upgrade/rollback from 2.6
On Mon, July 26, 2010 12:12, CraftyTech wrote:> Got It !!! Here''s the thing: All the steps I followed were well and > good, but I needed to actually stop puppetmasterd, before they could > actually work (wasn''t the case in the past). So there you have it > newbies...Well, drat. I''ve been doing that regularly, and getting the same error you''ve been seeing. So apparently I''ve got some other issue. Sigh. -- David Dyer-Bennet, dd-b@dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.