Jim Garrison
2012-Mar-30 23:20 UTC
[Puppet Users] "certificate verify failed" - but clocks are in sync
Apologies if this is a duplicate, but GG seems to have eaten my previous
post
I''m trying to set up a simple master/agent on two VMs under the same
ESXi
host.
I start up the master successfully on vm1, then start up the agent on vm2
sudo puppet agent --server vm1 --waitforcert 60 --test
On the master I sign the certificate request and then on the agent (vm2) I
see:
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for vm2.jhmg.net
info: Certificate Request fingerprint (md5):
E2:79:4A:81:21:56:7E:2A:9B:B2:3C:74:27:15:24:4C
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for vm2.jhmg.net
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed. This is often because the time is out of sync on the server
or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed. This is often
because the time is out of sync on the server or client
I have ntp running on both VMs, and have verified that their clocks are
synchronized to within 1ms of each other.
What ELSE could cause this in such a simple setup?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/6gqr0brEIQAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Denmat
2012-Mar-31 05:01 UTC
Re: [Puppet Users] "certificate verify failed" - but clocks are in sync
Try using fully qualified domain name. vm1.blah.com The server name needs to match the certificate. What you can do is remove all your ssl puppet dirs (usually /var/lib/puppet/ssl) and set certname in your puppet.conf to be what you call the hosts instead of using dns names. ie: on master: [main] certname = puppet.my.com on client: [main] certname = client.my.com server = puppet.my.com Then put entries in /etc/hosts to match. That might help you along a bit. Den On 31/03/2012, at 10:20, Jim Garrison <jhg6308@gmail.com> wrote:> Apologies if this is a duplicate, but GG seems to have eaten my previous post > > I''m trying to set up a simple master/agent on two VMs under the same ESXi host. > > I start up the master successfully on vm1, then start up the agent on vm2 > > sudo puppet agent --server vm1 --waitforcert 60 --test > > On the master I sign the certificate request and then on the agent (vm2) I see: > > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Creating a new SSL certificate request for vm2.jhmg.net > info: Certificate Request fingerprint (md5): E2:79:4A:81:21:56:7E:2A:9B:B2:3C:74:27:15:24:4C > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for vm2.jhmg.net > err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client > > I have ntp running on both VMs, and have verified that their clocks are synchronized to within 1ms of each other. > > What ELSE could cause this in such a simple setup? > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6gqr0brEIQAJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jim Garrison
2012-Mar-31 17:01 UTC
Re: [Puppet Users] "certificate verify failed" - but clocks are in sync
That was it, thanks. I guess I assumed the command would resolve the hostname and provide the FQDN for me. On Friday, March 30, 2012 10:01:43 PM UTC-7, denmat wrote:> > Try using fully qualified domain name. vm1.blah.com > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8ICvFZ48JpQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.