Martin Orda
2011-Apr-13 03:11 UTC
[Puppet Users] Puppet client ''certificate verify failed''
Hi,
I''ve looked in the archives and elsewhere but couldn''t find a
solution
to the issue I''m having. I''m running puppet with an external
CA that I
manage myself (ca=false for puppetmasterd) puppetmasterd is behind
nginx reverse proxy. On the client I''m getting:
root@web01:~# puppet agent --verbose --no-daemonize --onetime
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
The puppetmaster''s fqdn is excel.example.com and the SSL settings on
the master shouldn''t really matter since nginx is the SSL endpoint in
this scenario. Could you have a look at the below (also available as
http://pastie.org/1789339) and let me know if my config is sensible or
if you can spot anything incorrect?
Upon puppet agent''s invocation, no private keys or CSRs are created
which was my goal yet the verification fails. Below I''ve shown that
the checksums for the certificates used by both the client and master
are the same. Could you tell me (or point to a relevant explanation)
what is being verified in this process?
*** puppetmaster (excel):
/etc/puppet/puppet.conf:
[main]
ca=false
ssldir=/etc/ssl
cadir=$ssldir
publickeydir=$ssldir/public
privatekeydir=$ssldir/private
certdir=$ssldir/certs
vardir=/var/lib/puppet
localcacert = $certdir/ca-example.pem
[agent]
vardir = /var/lib/puppet
logdir = /var/log/puppet
templatedir = /var/lib/puppet/templates
factpath = $vardir/lib/facter
hostcert = $certdir/$certname.pem
hostprivkey = $privatedir/$certname.pem
hostpubkey = $publickeydir/$certname.pem
[master]
certname = puppet.example.com
servertype = mongrel
Relevant parts of /etc/nginx/sites-enabled/default:
server {
listen 8140;
ssl on;
ssl_verify_client on;
ssl_session_timeout 5m;
ssl_certificate /etc/ssl/certs/puppet.example.com.crt;
ssl_certificate_key /etc/ssl/private/puppet.example.com.pem;
ssl_client_certificate /etc/ssl/certs/ca-example.crt;
#ssl_crl /etc/ssl/crl.pem;
}
SSL certs:
excel:/etc# for i in `find /etc/ssl/ -name ''*.pem''`; do
md5sum $i; done
295340125c63ae9d64a87efc17135fec /etc/ssl/certs/ca-example.pem
7dbfce2a18002180a89df1853885273c /etc/ssl/certs/puppet.example.com.pem
6e33bd09dde9df47274a2ff1e06c1727 /etc/ssl/certs/web01.example.com.pem
ce15583b70c297f1be3c07b6c2f9828a /etc/ssl/private/ca-example.pem
f724911baa98c21291fe4eba4082266a /etc/ssl/private/puppet.example.com.pem
a38699481a609f32fab4374b5e51f4b0 /etc/ssl/private/web01.example.com.pem
5c269566c26c1f268df08b8162e388aa /etc/ssl/crl.pem
39571a88f872fa33256692f7e97d266f /etc/ssl/public/ca-example.pem
2bf6ed6843c4e523c0e0c6f387fd792b /etc/ssl/public/puppet.example.com.pem
94ab66cac55b88c5e8bf02b8a774187d /etc/ssl/public/web01.example.com.pem
*** puppet client (web01):
/etc/puppet/puppet.conf:
[main]
ca=false
ssldir=/etc/ssl
cadir=$ssldir
publickeydir=$ssldir/public
#privatedir=$ssldir/private
privatekeydir=$ssldir/private
certdir=$ssldir/certs
[agent]
vardir = /var/lib/puppet
logdir = /var/log/puppet
templatedir = /var/lib/puppet/templates
factpath = $vardir/lib/facter
localcacert = $certdir/ca-example.pem
hostprivkey = /etc/ssl/private/web01.example.com.pem
hostpubkey = $publickeydir/$certname.pem
SSL certs:
root@web01:~# for i in `find /etc/ssl -name ''*.pem''`; do
md5sum $i; done
a38699481a609f32fab4374b5e51f4b0 /etc/ssl/private/web01.example.com.pem
6e33bd09dde9df47274a2ff1e06c1727 /etc/ssl/certs/web01.example.com.pem
295340125c63ae9d64a87efc17135fec /etc/ssl/certs/ca-example.pem
94ab66cac55b88c5e8bf02b8a774187d /etc/ssl/public/web01.example.com.pem
39571a88f872fa33256692f7e97d266f /etc/ssl/public/ca-example.pem
5c269566c26c1f268df08b8162e388aa /etc/ssl/crl.pem
excel:~# date; ssh 172.19.80.212 date
Wed Apr 13 02:36:23 BST 2011
Wed Apr 13 02:36:23 BST 2011
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2011-Apr-15 07:14 UTC
Re: [Puppet Users] Puppet client ''certificate verify failed''
On 04/13/2011 05:11 AM, Martin Orda wrote:> Hi, > > I''ve looked in the archives and elsewhere but couldn''t find a solution > to the issue I''m having. I''m running puppet with an external CA that I > manage myself (ca=false for puppetmasterd) puppetmasterd is behind > nginx reverse proxy. On the client I''m getting: > > root@web01:~# puppet agent --verbose --no-daemonize --onetime > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed > notice: Using cached catalog > err: Could not retrieve catalog; skipping run > > The puppetmaster''s fqdn is excel.example.com and the SSL settings on > the master shouldn''t really matter since nginx is the SSL endpoint in > this scenario. Could you have a look at the below (also available as > http://pastie.org/1789339) and let me know if my config is sensible or > if you can spot anything incorrect?Hi, as a matter of fact, I don''t see where you''re telling the client to talk to "excel.example.com" (puppet agent''s "server" parameter). As is, the agent probably just talks to "puppet". If your master cert is for "excel" and not "puppet", you''re bound to get errors. If setting this doesn''t help, you should use openssl s_client to query your master''s certificate and find out why a client would fail its verification. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.