valigula
2011-Jul-11 12:43 UTC
[Puppet Users] err: Could not retrieve catalog from remote server: certificate verify failed
Hi All, I have spent couple of days trying to work-out this problem with not luck. I am working on a Linux Fedora 14. I ssh from the server to the client using teh IP with no problem. Client: # puppetd --server puppet --waitforcert 60 --test --verbose info: Creating a new SSL key for bar03 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL certificate request for bar03 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session info: Caching certificate for bar03 Could not retrieve selinux: Invalid argument - /proc/self/attr/current Could not retrieve selinux: Invalid argument - /proc/self/attr/current Could not retrieve selinux: Invalid argument - /proc/self/attr/current Could not retrieve selinux: Invalid argument - /proc/self/attr/current err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Server: # puppetca -s bar03 notice: Signed certificate request for ca notice: Rebuilding inventory file bar03 notice: Signed certificate request for bar03 notice: Removing file Puppet::SSL::CertificateRequest bar03 at ''/var/ lib/puppet/ssl/ca/requests/bar03.pem'' I have configured the time between the client and server using ntp but with the some o similar problem. Can this problem be due to DNS issues?. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2011-Jul-11 21:03 UTC
Re: [Puppet Users] err: Could not retrieve catalog from remote server: certificate verify failed
Hi, Yep it could be. Does --server ''puppet'' resolve to the puppet master? For SSL to work you need the following: * port 8140 open * certnames to valid and matching DNS resolution (or what is specified in puppet.conf if declared). * clock to be synced. Use openssl s_client to verify and resolve issues. Cheers Den On 11/07/2011, at 22:43, valigula <valigula@gmail.com> wrote:> Hi All, > > I have spent couple of days trying to work-out this problem with not > luck. I am working on a Linux Fedora 14. I ssh from the server to the > client using teh IP with no problem. > > Client: > > # puppetd --server puppet --waitforcert 60 --test --verbose > info: Creating a new SSL key for bar03 > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Creating a new SSL certificate request for bar03 > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for bar03 > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > err: Could not retrieve catalog from remote server: certificate verify > failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > Server: > > # puppetca -s bar03 > notice: Signed certificate request for ca > notice: Rebuilding inventory file > bar03 > notice: Signed certificate request for bar03 > notice: Removing file Puppet::SSL::CertificateRequest bar03 at ''/var/ > lib/puppet/ssl/ca/requests/bar03.pem'' > > I have configured the time between the client and server using ntp but > with the some o similar problem. > Can this problem be due to DNS issues?. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
valigula
2011-Jul-11 21:19 UTC
[Puppet Users] Re: err: Could not retrieve catalog from remote server: certificate verify failed
Hi, thanks for your reply. The server name resolves to the puppetmaster ( i added the entry in the /etc/hosts ) , the openssl also works, but does not when i use the key. Still investigating. Thanks On 11 jul, 23:03, Denmat <tu2bg...@gmail.com> wrote:> Hi, > > Yep it could be. Does --server ''puppet'' resolve to the puppet master? > > For SSL to work you need the following: > * port 8140 open > * certnames to valid and matching DNS resolution (or what is specified in puppet.conf if declared). > * clock to be synced. > > Use openssl s_client to verify and resolve issues. > > Cheers > Den > > On 11/07/2011, at 22:43, valigula <valig...@gmail.com> wrote: > > > > > > > > > Hi All, > > > I have spent couple of days trying to work-out this problem with not > > luck. I am working on a Linux Fedora 14. I ssh from the server to the > > client using teh IP with no problem. > > > Client: > > > # puppetd --server puppet --waitforcert 60 --test --verbose > > info: Creating a new SSL key for bar03 > > warning: peer certificate won''t be verified in this SSL session > > warning: peer certificate won''t be verified in this SSL session > > info: Creating a new SSL certificate request for bar03 > > warning: peer certificate won''t be verified in this SSL session > > warning: peer certificate won''t be verified in this SSL session > > warning: peer certificate won''t be verified in this SSL session > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for ca > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for bar03 > > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > > Could not retrieve selinux: Invalid argument - /proc/self/attr/current > > err: Could not retrieve catalog from remote server: certificate verify > > failed > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > > Server: > > > # puppetca -s bar03 > > notice: Signed certificate request for ca > > notice: Rebuilding inventory file > > bar03 > > notice: Signed certificate request for bar03 > > notice: Removing file Puppet::SSL::CertificateRequest bar03 at ''/var/ > > lib/puppet/ssl/ca/requests/bar03.pem'' > > > I have configured the time between the client and server using ntp but > > with the some o similar problem. > > Can this problem be due to DNS issues?. > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Reasonably Related Threads
- err: Could not retrieve catalog from remote server: certificate verify failed
- Unable to generate certificate on Puppet Agent through Master
- SSL issues - certificate verify failed
- Could not retrieve catalog from remote server: certificate verify failed
- Could not request certificate: Neither PUB key nor PRIV key