Puppet users - Jun 2012 - puppet server complains of time sync

Hello list,

 I am having an issue where a puppet agent on a client complains that
clocks are out of sync between it and it''s master -

err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed.  This is often
because the time is out of sync on the server or client
err: Could not remove PID file /var/lib/puppet/run/agent.pid

However without any doubt the clocks are in sync

- date from puppet client
Saturday, June 23, 2012 01:48:26 PM EDT
-date from puppet server
Sat Jun 23 13:48:26 EDT 2012


I ran the following command for the first time on the client,

puppet agent --server puppet01-ops.ops.example.com --waitforcert 60
--test --debug

and was able to generate and approve a cert request on the puppet
server. But it failed the first and all subsequent attempts with the
error message I show above.

The master and client do run different operating systems. The server
is a RHEL 5.5 and the client is solaris 10

-server
[puppet01-ops:~] root% cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

[puppet01-ops:~] root% uname -a
Linux puppet01-ops 2.6.18-194.el5 #1 SMP Mon Mar 29 22:10:29 EDT 2010
x86_64 x86_64 x86_64 GNU/Linux

-client
[splunk-indx01:~] root% uname -a
SunOS splunk-indx01 5.10 Generic_147441-19 i86pc i386 i86pc

 here is a verbose output of the puppet run on the client -

[splunk-indx01:~] root% puppet agent --server
puppet01-ops.ops.example.com --waitforcert 60 --test --debug
debug: Failed to load library ''shadow'' for feature
''libshadow''
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderUseradd: file chage does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file
/usr/bin/dscl does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Failed to load library ''selinux'' for feature
''selinux''
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
File[/etc/puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state/graphs]: Autorequiring
File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/client_data]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/run/agent.pid]: Autorequiring
File[/var/lib/puppet/run]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state/last_run_summary.yaml]:
Autorequiring File[/var/lib/puppet/state]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/certs]
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
debug: Finishing transaction 73965420
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/public_keys]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
File[/etc/puppet/ssl/certs]
debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
debug: Finishing transaction 73477900
debug: Using cached certificate for ca
debug: Using cached certificate for splunk-indx01.example.com
debug: Finishing transaction 73257990
debug: catalog supports formats: b64_zlib_yaml dot marshal pson raw
yaml; using pson
debug: Using cached certificate for ca
debug: Using cached certificate for splunk-indx01.example.com
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed.  This is often because the time is out of sync on the
server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
Executing ''diff -u /var/lib/puppet/state/last_run_summary.yaml
/tmp/puppet-file20120623-2172-1qxtgsx-0''
notice: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
--- /var/lib/puppet/state/last_run_summary.yaml Sat Jun 23 13:24:22 2012
+++ /tmp/puppet-file20120623-2172-1qxtgsx-0     Sat Jun 23 13:28:11 2012
@@ -1,6 +1,6 @@
 ---
   time:
-    last_run: 1340472262
+    last_run: 1340472491
   version:
     puppet: 2.7.10
     config:

debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
content changed ''{md5}01f5ac2f7e8284d63a9e78fbf8340024'' to
''{md5}0d3057c2e97d43533f2ab9c65dd2bfa1''
debug: Finishing transaction 74116410
debug: Value of ''preferred_serialization_format'' (pson) is
invalid for
report, using default (marshal)
debug: report supports formats: b64_zlib_yaml marshal raw yaml; using marshal
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed.  This is often
because the time is out of sync on the server or client
err: Could not remove PID file /var/lib/puppet/run/agent.pid



So far, I''ve attempted to rm -rf the /var/lib/puppet/ssl directory on
the CLIENT side :) and run a puppet cert --clean ${CLIENT_NAME}
command on the master, then re-run the original command on the client
(puppet agent --server puppet01-ops.ops.example.com --waitforcert 60
--test --debug).

The puppet server is currently controlling a number of nodes, and all
the nodes are solaris. I''ve had a look at the server certificate with
the openssl s_client -connect ${SERVER} command from both a working
puppet client running solaris and the non-working one that I am
attempting to setup: both outputs appear to be identical.

I was just wondering if there might be anything that I missed or
anything else I could try to get this working.


Thanks
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On 06/23/2012 10:17 PM, Tim Dunphy wrote:
> The puppet server is currently controlling a number of nodes, and all
> the nodes are solaris. I''ve had a look at the server certificate
with
> the openssl s_client -connect ${SERVER} command from both a working
> puppet client running solaris and the non-working one that I am
> attempting to setup: both outputs appear to be identical.
good call. Next step for me would be to "openssl x509" examine all
newly
cached certificates on the client.

Is the stored master cert identical to the one presented? Is it signed
by the same ca as the node cert? etc.
It''s certainly helpful to get a feel for how the certificates relate
and
what puppet does to check everything.

Regards,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Saturday, 23 June 2012 22:17:24 UTC+2, bluethundr
wrote:
>
> Hello list, 
>
>  I am having an issue where a puppet agent on a client complains that 
> clocks are out of sync between it and it''s master - 
>
> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
> read server certificate B: certificate verify failed.  This is often 
> because the time is out of sync on the server or client 
> err: Could not remove PID file /var/lib/puppet/run/agent.pid 
>
> However without any doubt the clocks are in sync 
>
> - date from puppet client 
> Saturday, June 23, 2012 01:48:26 PM EDT 
> -date from puppet server 
> Sat Jun 23 13:48:26 EDT 2012 
>
>
Hi,

  Do you have a ruby version mismatch ?

  http://projects.puppetlabs.com/issues/9084

  can cause this in a mixed ruby 1.8 and 1.9 world.
 
>
> I ran the following command for the first time on the client, 
>
> puppet agent --server puppet01-ops.ops.example.com --waitforcert 60 
> --test --debug 
>
> and was able to generate and approve a cert request on the puppet 
> server. But it failed the first and all subsequent attempts with the 
> error message I show above. 
>
> The master and client do run different operating systems. The server 
> is a RHEL 5.5 and the client is solaris 10 
>
> -server 
> [puppet01-ops:~] root% cat /etc/redhat-release 
> Red Hat Enterprise Linux Server release 5.5 (Tikanga) 
>
> [puppet01-ops:~] root% uname -a 
> Linux puppet01-ops 2.6.18-194.el5 #1 SMP Mon Mar 29 22:10:29 EDT 2010 
> x86_64 x86_64 x86_64 GNU/Linux 
>
> -client 
> [splunk-indx01:~] root% uname -a 
> SunOS splunk-indx01 5.10 Generic_147441-19 i86pc i386 i86pc 
>
>  here is a verbose output of the puppet run on the client - 
>
> [splunk-indx01:~] root% puppet agent --server 
> puppet01-ops.ops.example.com --waitforcert 60 --test --debug 
> debug: Failed to load library ''shadow'' for feature
''libshadow''
> debug: Puppet::Type::User::ProviderLdap: true value when expecting false 
> debug: Puppet::Type::User::ProviderUseradd: file chage does not exist 
> debug: Puppet::Type::User::ProviderDirectoryservice: file 
> /usr/bin/dscl does not exist 
> debug: Puppet::Type::User::ProviderPw: file pw does not exist 
> debug: Failed to load library ''selinux'' for feature
''selinux''
> debug: Failed to load library ''ldap'' for feature
''ldap''
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring 
> File[/etc/puppet/ssl] 
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] 
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring 
> File[/etc/puppet/ssl] 
> debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring 
> File[/etc/puppet/ssl/certs] 
> debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]: 
> Autorequiring File[/etc/puppet/ssl/private_keys] 
> debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/var/lib/puppet/state/graphs]: Autorequiring 
> File[/var/lib/puppet/state] 
> debug: /File[/var/lib/puppet/client_yaml]: Autorequiring 
> File[/var/lib/puppet] 
> debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]: 
> Autorequiring File[/etc/puppet/ssl/public_keys] 
> debug: /File[/var/lib/puppet/client_data]: Autorequiring 
> File[/var/lib/puppet] 
> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] 
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring 
> File[/etc/puppet/ssl] 
> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/var/lib/puppet/run/agent.pid]: Autorequiring 
> File[/var/lib/puppet/run] 
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl] 
> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/var/lib/puppet/state/last_run_summary.yaml]: 
> Autorequiring File[/var/lib/puppet/state] 
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl] 
> debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]: 
> Autorequiring File[/etc/puppet/ssl/certs] 
> debug: /File[/var/lib/puppet/clientbucket]: Autorequiring 
> File[/var/lib/puppet] 
> debug: Finishing transaction 73965420 
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring 
> File[/etc/puppet/ssl] 
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring 
> File[/etc/puppet/ssl] 
> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]: 
> Autorequiring File[/etc/puppet/ssl/certs] 
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl] 
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] 
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring 
> File[/etc/puppet/ssl] 
> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]: 
> Autorequiring File[/etc/puppet/ssl/public_keys] 
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring 
> File[/etc/puppet/ssl/certs] 
> debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet] 
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl] 
> debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]: 
> Autorequiring File[/etc/puppet/ssl/private_keys] 
> debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet] 
> debug: Finishing transaction 73477900 
> debug: Using cached certificate for ca 
> debug: Using cached certificate for splunk-indx01.example.com 
> debug: Finishing transaction 73257990 
> debug: catalog supports formats: b64_zlib_yaml dot marshal pson raw 
> yaml; using pson 
> debug: Using cached certificate for ca 
> debug: Using cached certificate for splunk-indx01.example.com 
> err: Could not retrieve catalog from remote server: SSL_connect 
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
> verify failed.  This is often because the time is out of sync on the 
> server or client 
> warning: Not using cache on failed catalog 
> err: Could not retrieve catalog; skipping run 
> debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content: 
> Executing ''diff -u /var/lib/puppet/state/last_run_summary.yaml 
> /tmp/puppet-file20120623-2172-1qxtgsx-0'' 
> notice: /File[/var/lib/puppet/state/last_run_summary.yaml]/content: 
> --- /var/lib/puppet/state/last_run_summary.yaml Sat Jun 23 13:24:22 2012 
> +++ /tmp/puppet-file20120623-2172-1qxtgsx-0     Sat Jun 23 13:28:11 2012 
> @@ -1,6 +1,6 @@ 
>  --- 
>    time: 
> -    last_run: 1340472262 
> +    last_run: 1340472491 
>    version: 
>      puppet: 2.7.10 
>      config: 
>
> debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content: 
> content changed ''{md5}01f5ac2f7e8284d63a9e78fbf8340024''
to
> ''{md5}0d3057c2e97d43533f2ab9c65dd2bfa1'' 
> debug: Finishing transaction 74116410 
> debug: Value of ''preferred_serialization_format'' (pson)
is invalid for
> report, using default (marshal) 
> debug: report supports formats: b64_zlib_yaml marshal raw yaml; using 
> marshal 
> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
> read server certificate B: certificate verify failed.  This is often 
> because the time is out of sync on the server or client 
> err: Could not remove PID file /var/lib/puppet/run/agent.pid 
>
>
>
> So far, I''ve attempted to rm -rf the /var/lib/puppet/ssl directory
on
> the CLIENT side :) and run a puppet cert --clean ${CLIENT_NAME} 
> command on the master, then re-run the original command on the client 
> (puppet agent --server puppet01-ops.ops.example.com --waitforcert 60 
> --test --debug). 
>
> The puppet server is currently controlling a number of nodes, and all 
> the nodes are solaris. I''ve had a look at the server certificate
with
> the openssl s_client -connect ${SERVER} command from both a working 
> puppet client running solaris and the non-working one that I am 
> attempting to setup: both outputs appear to be identical. 
>
> I was just wondering if there might be anything that I missed or 
> anything else I could try to get this working. 
>
>
> Thanks 
> Tim 
>
> -- 
> GPG me!! 
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/KPEwOhEKZe8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.