Puppet users - May 2011 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

I ran in this problem an digged the net for a while to find a solution.

I have a fresh puppet install, and most nodes run fine but some exhibit
the following error:

err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

I recreated several time the cert without problem, but the message 
stayed the same.  The ssl debuging of the connection indicated that the 
cert where indeed correct.  It turned out that when recreating the 
server CA I kept the crl.pem on the client.

Could it be possible to improve the error message?

Regards,
N.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 05/17/2011 08:59 AM, Nicolas Jungers wrote:
> I ran in this problem an digged the net for a while to find a solution.
> 
> I have a fresh puppet install, and most nodes run fine but some exhibit
> the following error:
> 
> err: Could not retrieve catalog from remote server: SSL_connect
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate
> verify failed
> 
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> 
> I recreated several time the cert without problem, but the message
> stayed the same.  The ssl debuging of the connection indicated that the
> cert where indeed correct.  It turned out that when recreating the
> server CA I kept the crl.pem on the client.
> 
> Could it be possible to improve the error message?
> 
> Regards,
> N.
> 
Hi,

please make sure that both server have time in sync.

http://bitcube.co.uk/content/puppet-errors-explained

Regards,

Martin

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 2011-05-17 09:23, Martin Alfke wrote:
> On 05/17/2011 08:59 AM, Nicolas Jungers wrote:
[snip]
>> I recreated several time the cert without problem, but the message
>> stayed the same.  The ssl debuging of the connection indicated that the
>> cert where indeed correct.  It turned out that when recreating the
>> server CA I kept the crl.pem on the client.
>>
>> Could it be possible to improve the error message?
>>
>> Regards,
>> N.
>>
> Hi,
>
> please make sure that both server have time in sync.
Sorry, I wasn''t clear enough.

The problem was that the *crl*.  And the error message is maybe correct 
but misleading, it''s the crl that fails, not the certificate.

Regards,
N.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.