Puppet users - Apr 2011 - SSL issues: Separate CA, multiple load balanced masters

Hi,

I''ve been at it for about 4 days now and I just can''t figure
it out.
I''m getting the following error when running puppet agent on my
masters: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed

At startup, I''m running ntpdate (I''ve read in a lot of places
that
this error occurs when date between servers is different, it''s not).

My setup is:

CA: puppet.mydomain.com with config:
certdnsnames = puppet.mydomain.com
certname = puppet.mydomain.com
server = puppet.mydomain.com

Masters behind an Amazon ELB, with config:
certdnsnames = master.mydomain.com
ca_server = puppet.mydomain.com
server = master.puppet.3ev.info
ca = false

Does anyone have any idea why this might happen?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 7 April 2011 04:02, Andrei Serdeliuc <andrei@serdeliuc.ro> wrote:
> Hi,
>
> I''ve been at it for about 4 days now and I just can''t
figure it out.
> I''m getting the following error when running puppet agent on my
> masters: SSL_connect returned=1 errno=0 state=SSLv3 read server
> certificate B: certificate verify failed
>
It took me a bit longer than 4 days, but using
http://bodepd.com/wordpress/?p=7 as a guide, I did this:

1. CA server is a puppet server with the exact same configuration on all
puppet servers. ca_server is puppet-ca.example.com

2. Same certname everywhere: puppet.example.com. Manage the certs in puppet:
  $etc/ssl/ca/signed/puppet.example.com.pem
  $etc/ssl/certs/puppet.example.com.pem
  $etc/ssl/private_keys/puppet.example.com.pem
  $etc/ssl/public_keys/puppet.example.com.pem

3. Same certdnsname everywhere with every possible combination of name the
client contacts the puppet master with. I have heard (but not tried) you can
use wild cards. This includes puppet-ca.example.com, puppet.example.com, ...

4. I keep all $etc/ssl/ca files managed in puppet too

Note that I use CNAMEs everywhere so I don''t have to change
certificates if
I replace a machine. Adding machines will require a new cert

Keep playing. Once it works, it works well. I can deploy a new puppet server
in the blink of an eye!

John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

It now seems to work, I was doing 2 things wrong: not restarting Apache (the 
master runs under apache + passenger) after certificates were generated. 
That fixed the initial SSL error (apache was using an older certificate, the 
ones generated didn''t match, etc).

All works fine now, unless I try to get the masters to use themselves as 
masters. If I configure the masters to use the CA server as a master, puppet 
agent works fine. If I point the masters to the load balancer in front of 
the masters, puppet agent throws the same annoying SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify failed

Any tips on that?

Thanks

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Apr 7, 2011 at 10:03 AM, Andrei Serdeliuc
<andrei@serdeliuc.ro>wrote:
> It now seems to work, I was doing 2 things wrong: not restarting Apache
> (the master runs under apache + passenger) after certificates were
> generated. That fixed the initial SSL error (apache was using an older
> certificate, the ones generated didn''t match, etc).
>
> All works fine now, unless I try to get the masters to use themselves as
> masters. If I configure the masters to use the CA server as a master,
puppet
> agent works fine. If I point the masters to the load balancer in front of
> the masters, puppet agent throws the same annoying SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate verify failed
>
> Any tips on that?
>
Either
disable CRL
or set a new certificate for your puppet client (which is running on your
master).

>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Ohad,

I can''t thank you enough for that tip.

Solved every error that was occurring by disabling CRL. I realise this is 
not desirable, so I will get my init scripts generating separate 
certificates for the puppet agent running on the masters.

Again, thank you very much.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.