Vince Taluskie
2011-Apr-14 21:56 UTC
[Puppet Users] ca cert issue when puppetmaster doesn''t reverse to puppet hostname
I wanted to test out running puppet under Passenger and setup a new
puppetmaster (brm-up-puppet-2) box to test on. I was seeing some
very odd error back from clients when testing:
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed
with the help of some previous posters and the archive, I was able to
find some helpful debugging commands and it appears that the cert
generated when starting up the puppetmaster for the first time
generates some X509v3 Subject Alternative Name sections with
references to ''puppet'' &
''puppet.sitename.com'' as well, which actually
reverses back to what is currently running as prod (brm-up-puppet-1)
but not the new test puppetmaster (brm-up-puppet-2). Putting an
alias in /etc/hosts on my clients reversing puppet to the brm-up-
puppet-2 box eliminated the cert verify issues.
I wanted to mention that and ask if that seems like the correct
assumption in the behavior for puppetmaster startup and ca creation.
Before beginning my test, I wiped out the /var/lib/puppet/ssl
directory on the new test puppetmaster. How do others handle
multiple puppetmasters and this behavior and/or transitions needed to
swap out old WEBrick for Passenger with keeping cert management sane.
Thanks,
Vince
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/brm-up-
puppet-2.sitename.com.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: brm-up-puppet-2.sitename.com
Validity
Not Before: Apr 13 21:40:39 2011 GMT
Not After : Apr 11 21:40:39 2016 GMT
Subject: CN=brm-up-puppet-2.sitename.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:78:d8:b4:4d:88:90:76:37:07:53:b3:b9:a1:
cf:dd:62:81:e7:07:b6:1d:44:9c:66:1f:2c:75:0e:
6a:d4:2c:bb:96:da:42:82:64:2d:eb:38:a1:4f:38:
7c:fe:28:c4:a0:eb:5e:79:54:91:e7:39:62:dc:60:
2c:77:ae:9d:ab:c4:d7:de:d7:80:33:0f:05:d3:b8:
f0:71:38:52:42:26:94:22:ea:12:13:73:e9:9c:49:
97:75:df:c4:d3:56:a7:ec:7e:7f:a7:09:8b:ac:6d:
0f:9e:0c:3f:ab:de:d5:ad:64:3c:27:f4:c5:7c:c9:
32:67:67:e1:97:12:10:fd:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
Puppet Ruby/OpenSSL Generated Certificate
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
06:96:73:3F:97:EE:B3:FC:43:DC:21:E8:D9:C9:C5:71:83:BB:
0B:00
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication, E-mail Protection
X509v3 Subject Alternative Name:
DNS:puppet, DNS:brm-up-puppet-2.sitename.com,
DNS:puppet.sitename.com
Signature Algorithm: sha1WithRSAEncryption
53:64:d0:8a:e0:b8:76:04:b6:51:9a:3d:d0:ff:72:c9:2f:57:
8c:6a:6a:f4:ac:d8:56:20:02:bb:e0:1c:07:47:58:88:b0:68:
2a:56:70:70:62:ed:11:fb:a1:26:5a:e0:6c:5c:e7:75:a4:43:
8a:54:ce:16:02:ab:ab:06:7e:57:1d:6a:71:75:b3:2e:8b:20:
f3:e6:c6:86:7e:d5:ee:fc:ed:35:7c:2d:da:3d:10:62:97:51:
d3:ee:e3:4d:c3:79:35:3e:38:30:7e:d6:f2:b4:ab:46:5a:7f:
5a:82:05:20:c4:db:94:4c:40:76:5d:1e:3a:25:77:be:63:95:
55:00
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.