I am banging my head against the wall for recently built hosts that are unable to verify the server''s certs. The usual is not working. on the puppet agent machine: find /var/lib/puppet/ssl -type f -delete on puppet master: puppetca --clean <new_host_cert> on agent: puppetd --server puppet --waitforcert 2 --no-daemonize -d -o on puppet master: puppetca --sign <new_host_cert> after signing the cert, this is what client shows: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I''m signing the cert that shows up on the master via puppet --list, simply copying and pasting. the usual steps work on all other existing hosts, but this host refuses to verify the cert. is it the server cert that''s invalid? any help much appreciated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
First thing I would check is time, to make sure that your manager and host are synched. -------------------------------------------------- From: "David Birdsong" <david.birdsong@gmail.com> Sent: Saturday, November 13, 2010 2:49 PM To: <puppet-users@googlegroups.com> Subject: [Puppet Users] certificate verify failed> I am banging my head against the wall for recently built hosts that > are unable to verify the server''s certs. The usual is not working. > > on the puppet agent machine: > find /var/lib/puppet/ssl -type f -delete > > on puppet master: > puppetca --clean <new_host_cert> > > on agent: > puppetd --server puppet --waitforcert 2 --no-daemonize -d -o > > on puppet master: > puppetca --sign <new_host_cert> > > after signing the cert, this is what client shows: > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed > > I''m signing the cert that shows up on the master via puppet --list, > simply copying and pasting. > > the usual steps work on all other existing hosts, but this host > refuses to verify the cert. is it the server cert that''s invalid? > any help much appreciated. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
On Sat, Nov 13, 2010 at 3:19 PM, Marek Dohojda <chrobry@gmail.com> wrote:> First thing I would check is time, to make sure that your manager and host > are synched. >makes sense, i didn''t think of this earlier, but alas i''ve synced them (they were off by ~18 seconds) and still getting the exact same error. err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed> > -------------------------------------------------- > From: "David Birdsong" <david.birdsong@gmail.com> > Sent: Saturday, November 13, 2010 2:49 PM > To: <puppet-users@googlegroups.com> > Subject: [Puppet Users] certificate verify failed > >> I am banging my head against the wall for recently built hosts that >> are unable to verify the server''s certs. The usual is not working. >> >> on the puppet agent machine: >> find /var/lib/puppet/ssl -type f -delete >> >> on puppet master: >> puppetca --clean <new_host_cert> >> >> on agent: >> puppetd --server puppet --waitforcert 2 --no-daemonize -d -o >> >> on puppet master: >> puppetca --sign <new_host_cert> >> >> after signing the cert, this is what client shows: >> err: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed >> >> I''m signing the cert that shows up on the master via puppet --list, >> simply copying and pasting. >> >> the usual steps work on all other existing hosts, but this host >> refuses to verify the cert. is it the server cert that''s invalid? >> any help much appreciated. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
On Sat, Nov 13, 2010 at 7:56 PM, David Birdsong <david.birdsong@gmail.com> wrote:> On Sat, Nov 13, 2010 at 3:19 PM, Marek Dohojda <chrobry@gmail.com> wrote: >> First thing I would check is time, to make sure that your manager and host >> are synched. >> > makes sense, i didn''t think of this earlier, but alas i''ve synced them > (they were off by ~18 seconds) and still getting the exact same error. > > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed >The agent couldn''t reverse resolve itself. We use /etc/hosts, so I updated the agent machine''s /etc/hosts and it now works.> >> >> -------------------------------------------------- >> From: "David Birdsong" <david.birdsong@gmail.com> >> Sent: Saturday, November 13, 2010 2:49 PM >> To: <puppet-users@googlegroups.com> >> Subject: [Puppet Users] certificate verify failed >> >>> I am banging my head against the wall for recently built hosts that >>> are unable to verify the server''s certs. The usual is not working. >>> >>> on the puppet agent machine: >>> find /var/lib/puppet/ssl -type f -delete >>> >>> on puppet master: >>> puppetca --clean <new_host_cert> >>> >>> on agent: >>> puppetd --server puppet --waitforcert 2 --no-daemonize -d -o >>> >>> on puppet master: >>> puppetca --sign <new_host_cert> >>> >>> after signing the cert, this is what client shows: >>> err: Could not retrieve catalog from remote server: SSL_connect >>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >>> verify failed >>> >>> I''m signing the cert that shows up on the master via puppet --list, >>> simply copying and pasting. >>> >>> the usual steps work on all other existing hosts, but this host >>> refuses to verify the cert. is it the server cert that''s invalid? >>> any help much appreciated. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> groups.google.com/group/puppet-users?hl=en. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> groups.google.com/group/puppet-users?hl=en. >> >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Is the clock of the troublesome host synchronized with all of the others? This is often the cause of certificate verification failures. Hope this helps, -- Jeff McCune - (+1-503-208-4484) On Nov 13, 2010, at 10:49 PM, David Birdsong <david.birdsong@gmail.com> wrote:> I am banging my head against the wall for recently built hosts that > are unable to verify the server''s certs. The usual is not working. > > on the puppet agent machine: > find /var/lib/puppet/ssl -type f -delete > > on puppet master: > puppetca --clean <new_host_cert> > > on agent: > puppetd --server puppet --waitforcert 2 --no-daemonize -d -o > > on puppet master: > puppetca --sign <new_host_cert> > > after signing the cert, this is what client shows: > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed > > I''m signing the cert that shows up on the master via puppet --list, > simply copying and pasting. > > the usual steps work on all other existing hosts, but this host > refuses to verify the cert. is it the server cert that''s invalid? > any help much appreciated. > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com > . > For more options, visit this group at groups.google.com/group/puppet-users?hl=en > . >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Whenever I try to connect to the master from the client, I get the following error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I tried google and most of the results say the problem is due the difference in clock between the server and client. However, my server and client have the same date and time. Here are extra details about my setup. Server: hostname - puppetmaster domainname - does not have a domain fqdn - puppetmaster Client: hostname - puppetclient domainname - localdomain fqdn - puppetclient.localdomain I have puppetclient and its ip address in the master''s /etc/hosts file. I also have puppetmaster and its ip address in the client''s /etc/ hosts file. I use "puppetd --debug --server puppetmaster" on the client to connect to the server. The first time it connects, it requests a certificate from the server. I then use puppetca to sign the certificate on the master. I get the error after doing that step. I''m completely clueless. I''ve tried all sorts of permutations and cannot get it to work. I guess somewhere, my certificates are getting screwed up or could it also be because my server does not have a domain name? But that is one of the requirements. Any help would be appreciated! Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
On Mon, Dec 06, 2010 at 12:13:37PM -0800, Kikanny wrote:> Whenever I try to connect to the master from the client, I get the > following error: > > Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify > failedI can think of the following reasons: * Client generated a new certificate after your master signed one. * When you connect a new client it retrieves the masters certificate. When you connect again, the certificate will be checked. If you rebuild your puppetmaster, your client will not trust its new certificate. * You revoked your client''s certificate * You revoked the certificate of your master If this is your first attempt to use puppet, try a fresh restart: * remove /etc/puppet/ssl and/or /var/lib/puppet/ssl on master and client * puppet cert --list --all should be empty on master * run puppet master --no-daemonize --verbose on master * run puppet agent --server masters_hostname --test --waitforcert 15 on client * run puppet cert --list and puppet cert --sign on master If that does not work, you can check the subject of the certificates because I think they have to match the hostname. You can do that with "puppet cert --list" and "puppet cert --print <fqdn>" and on the client "openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem" should work -Stefan
I''ve tried all of the steps you outlined, and still nothing. I also checked the certificates the subject lines match the hostnames. I''m out of ideas. This has been frustrating me for the past two days :( On Dec 6, 6:00 pm, Stefan Schulte <stefan.schu...@taunusstein.net> wrote:> On Mon, Dec 06, 2010 at 12:13:37PM -0800, Kikanny wrote: > > Whenever I try to connect to the master from the client, I get the > > following error: > > > Could not retrieve catalog from remote server: SSL_connect returned=1 > > errno=0 state=SSLv3 read server certificate B: certificate verify > > failed > > I can think of the following reasons: > * Client generated a new certificate after your master signed one. > * When you connect a new client it retrieves the masters certificate. > When you connect again, the certificate will be checked. If you > rebuild your puppetmaster, your client will not trust its new > certificate. > * You revoked your client''s certificate > * You revoked the certificate of your master > > If this is your first attempt to use puppet, try a fresh restart: > * remove /etc/puppet/ssl and/or /var/lib/puppet/ssl on master and client > * puppet cert --list --all should be empty on master > * run puppet master --no-daemonize --verbose on master > * run puppet agent --server masters_hostname --test --waitforcert 15 on > client > * run puppet cert --list and puppet cert --sign on master > > If that does not work, you can check the subject of the certificates > because I think they have to match the hostname. You can do that with > "puppet cert --list" and "puppet cert --print <fqdn>" and on the client > "openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem" should work > > -Stefan > > application_pgp-signature_part > < 1KViewDownload-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
On 12/06/2010 09:13 PM, Kikanny wrote:> Whenever I try to connect to the master from the client, I get the > following error: > > Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify > failed > > I tried google and most of the results say the problem is due the > difference in clock between the server and client. However, my server > and client have the same date and time. Here are extra details about > my setup. > > Server: > hostname - puppetmaster > domainname - does not have a domain > fqdn - puppetmaster > > Client: > hostname - puppetclient > domainname - localdomain > fqdn - puppetclient.localdomain > > I have puppetclient and its ip address in the master''s /etc/hosts > file. I also have puppetmaster and its ip address in the client''s /etc/ > hosts file. I use "puppetd --debug --server puppetmaster" on the > client to connect to the server. The first time it connects, it > requests a certificate from the server. I then use puppetca to sign > the certificate on the master. I get the error after doing that step. > I''m completely clueless. I''ve tried all sorts of permutations and > cannot get it to work. I guess somewhere, my certificates are getting > screwed up or could it also be because my server does not have a > domain name? But that is one of the requirements. Any help would be > appreciated! Thanks! >I remember similar nightmares. Have you tried certname options on the client node? I.e., puppetd --test --certname=<name> or adding it to puppet.conf? Otherwise, try openssl s_client and connect to the puppetmaster port to see the server certificate. Diff against your cached cert, see if the names are correct etc. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
So there is something wrong with the date of the certificate. When I do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | grep -A2 Validity", I get: Validity Not Before: Dec 7 14:08:10 2010 GMT Not After : Dec 6 14:08:10 2015 GMT However, the current date of the client is Dec 8 which is well within the valid range. The date is also the same as master server. But when I change the date of the client to Dec 9, everything works fine and I don''t get that certificate verify failed error anymore. This is baffling! Any idea how to fix this? Thanks! On Dec 6, 6:00 pm, Stefan Schulte <stefan.schu...@taunusstein.net> wrote:> On Mon, Dec 06, 2010 at 12:13:37PM -0800, Kikanny wrote: > > Whenever I try to connect to the master from the client, I get the > > following error: > > > Could not retrieve catalog from remote server: SSL_connect returned=1 > > errno=0 state=SSLv3 read server certificate B: certificate verify > > failed > > I can think of the following reasons: > * Client generated a new certificate after your master signed one. > * When you connect a new client it retrieves the masters certificate. > When you connect again, the certificate will be checked. If you > rebuild your puppetmaster, your client will not trust its new > certificate. > * You revoked your client''s certificate > * You revoked the certificate of your master > > If this is your first attempt to use puppet, try a fresh restart: > * remove /etc/puppet/ssl and/or /var/lib/puppet/ssl on master and client > * puppet cert --list --all should be empty on master > * run puppet master --no-daemonize --verbose on master > * run puppet agent --server masters_hostname --test --waitforcert 15 on > client > * run puppet cert --list and puppet cert --sign on master > > If that does not work, you can check the subject of the certificates > because I think they have to match the hostname. You can do that with > "puppet cert --list" and "puppet cert --print <fqdn>" and on the client > "openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem" should work > > -Stefan > > application_pgp-signature_part > < 1KViewDownload-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
On Wed, Dec 8, 2010 at 6:20 AM, Kikanny <kikanny@gmail.com> wrote:> So there is something wrong with the date of the certificate. When I > do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | > grep -A2 Validity", I get: > > Validity > Not Before: Dec 7 14:08:10 2010 GMT > Not After : Dec 6 14:08:10 2015 GMT > > However, the current date of the client is Dec 8 which is well within > the valid range. The date is also the same as master server. But when > I change the date of the client to Dec 9, everything works fine and I > don''t get that certificate verify failed error anymore. This is > baffling! Any idea how to fix this? Thanks!Let''s use openssl to debug this and see if we can get a better error message indicating why the cert is rejected. In the command below replace the certs and ca to the appropriate path on your system: openssl s_client -host puppet -port 8140 -cert /var/lib/puppet/ssl/certs/puppet.training.pem -key /var/lib/puppet/ssl/private_keys/puppet.training.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem A successful connection: CONNECTED(00000003) depth=1 /CN=puppet.training verify return:1 depth=0 /CN=puppet.training verify return:1 ... Here, I intentionally set the system time to 2009 and the error message show why the cert was rejected. CONNECTED(00000003) depth=1 /CN=puppet.training verify error:num=9:certificate is not yet valid notBefore=Sep 20 08:01:21 2010 GMT verify return:0 Hope this helps. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Hi Nan Thanks for your response. I tried that. But it says that everything is okay. I get "verify return 1" instead of saying why there is a verification error.... On Dec 8, 10:54 am, Nan Liu <n...@puppetlabs.com> wrote:> On Wed, Dec 8, 2010 at 6:20 AM, Kikanny <kika...@gmail.com> wrote: > > So there is something wrong with the date of the certificate. When I > > do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | > > grep -A2 Validity", I get: > > > Validity > > Not Before: Dec 7 14:08:10 2010 GMT > > Not After : Dec 6 14:08:10 2015 GMT > > > However, the current date of the client is Dec 8 which is well within > > the valid range. The date is also the same as master server. But when > > I change the date of the client to Dec 9, everything works fine and I > > don''t get that certificate verify failed error anymore. This is > > baffling! Any idea how to fix this? Thanks! > > Let''s use openssl to debug this and see if we can get a better error > message indicating why the cert is rejected. In the command below > replace the certs and ca to the appropriate path on your system: > > openssl s_client -host puppet -port 8140 -cert > /var/lib/puppet/ssl/certs/puppet.training.pem -key > /var/lib/puppet/ssl/private_keys/puppet.training.pem -CAfile > /var/lib/puppet/ssl/certs/ca.pem > > A successful connection: > CONNECTED(00000003) > depth=1 /CN=puppet.training > verify return:1 > depth=0 /CN=puppet.training > verify return:1 > ... > > Here, I intentionally set the system time to 2009 and the error > message show why the cert was rejected. > CONNECTED(00000003) > depth=1 /CN=puppet.training > verify error:num=9:certificate is not yet valid > notBefore=Sep 20 08:01:21 2010 GMT > verify return:0 > > Hope this helps. Thanks, > > Nan-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Found out the error. Both the master and client were showing the same time. But they happened to be on different time zones. AHH! On Dec 8, 1:19 pm, Kikanny <kika...@gmail.com> wrote:> Hi Nan > > Thanks for your response. I tried that. But it says that everything is > okay. I get "verify return 1" instead of saying why there is a > verification error.... > > On Dec 8, 10:54 am, Nan Liu <n...@puppetlabs.com> wrote: > > > On Wed, Dec 8, 2010 at 6:20 AM, Kikanny <kika...@gmail.com> wrote: > > > So there is something wrong with the date of the certificate. When I > > > do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | > > > grep -A2 Validity", I get: > > > > Validity > > > Not Before: Dec 7 14:08:10 2010 GMT > > > Not After : Dec 6 14:08:10 2015 GMT > > > > However, the current date of the client is Dec 8 which is well within > > > the valid range. The date is also the same as master server. But when > > > I change the date of the client to Dec 9, everything works fine and I > > > don''t get that certificate verify failed error anymore. This is > > > baffling! Any idea how to fix this? Thanks! > > > Let''s use openssl to debug this and see if we can get a better error > > message indicating why the cert is rejected. In the command below > > replace the certs and ca to the appropriate path on your system: > > > openssl s_client -host puppet -port 8140 -cert > > /var/lib/puppet/ssl/certs/puppet.training.pem -key > > /var/lib/puppet/ssl/private_keys/puppet.training.pem -CAfile > > /var/lib/puppet/ssl/certs/ca.pem > > > A successful connection: > > CONNECTED(00000003) > > depth=1 /CN=puppet.training > > verify return:1 > > depth=0 /CN=puppet.training > > verify return:1 > > ... > > > Here, I intentionally set the system time to 2009 and the error > > message show why the cert was rejected. > > CONNECTED(00000003) > > depth=1 /CN=puppet.training > > verify error:num=9:certificate is not yet valid > > notBefore=Sep 20 08:01:21 2010 GMT > > verify return:0 > > > Hope this helps. Thanks, > > > Nan > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.