Hello readers,
I have this little issue that my puppet client refuses to do anything
because of SSL validation errors. Maybe I''ll just post dump of what
happens, that makes it clear I hope. Does anyone have a suggestion why that
might happen? what I already checked:
On the master:
- Puppet and puppetmaster is running
- Something is listening on Port 8140 (although I cannot telnet-connect
to it, it closes immediately for whatever reason)
- in /var/lib/puppet/ssl: find . -type f -delete
On the client:
- in /var/lib/puppet/ssl: find . -type f -delete
I would appreciate any help that''s available ...
thanks & greetings! Axel.
... and now the little dump:
(CLIENT)
*root@l1311022:/var/lib/puppet/ssl$* *puppet agent --test*
info: Creating a new SSL key for l1311022.our.domain.de
warning: peer certificate won''t be verified in this SSL session (2x)
info: Creating a new SSL certificate request for l1311022.our.domain.de
info: Certificate Request fingerprint (md5):
19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E
warning: peer certificate won''t be verified in this SSL session (3x)
Exiting; no certificate found and waitforcert is disabled
(SERVER)
*l1215022:/var/lib/puppet/ssl # pca -l*
notice: Signed certificate request for ca
notice: Rebuilding inventory file
l1311022.our.domain.de (19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E)
*l1215022:/var/lib/puppet/ssl # pca -s --all*
notice: Signed certificate request for l1311022.our.domain.de
notice: Removing file Puppet::SSL::CertificateRequest
l1311022.our.domain.de at
''/var/lib/puppet/ssl/ca/requests/l1311022.our.domain.de.pem''
l1215022:/var/lib/puppet/ssl #
(CLIENT)
*root@l1311022:/var/lib/puppet/ssl$ puppet agent --test*
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for l1311022.our.domain.de
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using ''eval_generate'': SSL_connect returned=1 errno=0
state=SSLv3 read
server certificate B: certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed
Could not retrieve file metadata for
puppet://l1215022.our.domain.de/plugins: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed
The config files look like this:
(CLIENT)
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
modulepath = /etc/puppet/modules:/opt/puppet/share/puppet/modules
[agent]
certname = l1311022.our.domain.de
server = l1215022.our.domain.de
report = true
graph = true
pluginsync = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
(SERVER)
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
certname = l1215022.our.domain.de
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/ToaPaY7mtgwJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
hm, nevermind, I somehow solved it. although I''m not (yet) sure how. It involved a lot of restarting and deleting :) thanks anyways! Axel. 2012/8/10 Axel Bock <axel.bock@arbeitsagentur.de>> Hello readers, > > I have this little issue that my puppet client refuses to do anything > because of SSL validation errors. Maybe I''ll just post dump of what > happens, that makes it clear I hope. Does anyone have a suggestion why that > might happen? what I already checked: > > On the master: > > - Puppet and puppetmaster is running > - Something is listening on Port 8140 (although I cannot > telnet-connect to it, it closes immediately for whatever reason) > - in /var/lib/puppet/ssl: find . -type f -delete > > On the client: > > - in /var/lib/puppet/ssl: find . -type f -delete > > I would appreciate any help that''s available ... > > thanks & greetings! Axel. > > > ... and now the little dump: > > (CLIENT) > *root@l1311022:/var/lib/puppet/ssl$* *puppet agent --test* > info: Creating a new SSL key for l1311022.our.domain.de > warning: peer certificate won''t be verified in this SSL session (2x) > info: Creating a new SSL certificate request for l1311022.our.domain.de > info: Certificate Request fingerprint (md5): > 19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E > warning: peer certificate won''t be verified in this SSL session (3x) > Exiting; no certificate found and waitforcert is disabled > > (SERVER) > *l1215022:/var/lib/puppet/ssl # pca -l* > notice: Signed certificate request for ca > notice: Rebuilding inventory file > l1311022.our.domain.de (19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E) > *l1215022:/var/lib/puppet/ssl # pca -s --all* > notice: Signed certificate request for l1311022.our.domain.de > notice: Removing file Puppet::SSL::CertificateRequest > l1311022.our.domain.de at > ''/var/lib/puppet/ssl/ca/requests/l1311022.our.domain.de.pem'' > l1215022:/var/lib/puppet/ssl # > > (CLIENT) > *root@l1311022:/var/lib/puppet/ssl$ puppet agent --test* > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for l1311022.our.domain.de > info: Retrieving plugin > err: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed > err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed Could not retrieve file metadata for puppet:// > l1215022.our.domain.de/plugins: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 > read server certificate B: certificate verify failed > > The config files look like this: > > (CLIENT) > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = /var/lib/puppet/ssl > modulepath = /etc/puppet/modules:/opt/puppet/share/puppet/modules > [agent] > certname = l1311022.our.domain.de > server = l1215022.our.domain.de > report = true > graph = true > pluginsync = true > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > > (SERVER) > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = /var/lib/puppet/ssl > certname = l1215022.our.domain.de > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/ToaPaY7mtgwJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
hm, nevermind, I solved it somehow, although I don''t know how (yet). it involved a lot of deleting and restarting :) ... thanks anyways! /Axel. Am Freitag, 10. August 2012 14:10:57 UTC+2 schrieb Axel Bock:> > Hello readers, > > I have this little issue that my puppet client refuses to do anything > because of SSL validation errors. Maybe I''ll just post dump of what > happens, that makes it clear I hope. Does anyone have a suggestion why that > might happen? what I already checked: > > On the master: > > - Puppet and puppetmaster is running > - Something is listening on Port 8140 (although I cannot > telnet-connect to it, it closes immediately for whatever reason) > - in /var/lib/puppet/ssl: find . -type f -delete > > On the client: > > - in /var/lib/puppet/ssl: find . -type f -delete > > I would appreciate any help that''s available ... > > thanks & greetings! Axel. > > > ... and now the little dump: > > (CLIENT) > *root@l1311022:/var/lib/puppet/ssl$* *puppet agent --test* > info: Creating a new SSL key for l1311022.our.domain.de > warning: peer certificate won''t be verified in this SSL session (2x) > info: Creating a new SSL certificate request for l1311022.our.domain.de > info: Certificate Request fingerprint (md5): > 19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E > warning: peer certificate won''t be verified in this SSL session (3x) > Exiting; no certificate found and waitforcert is disabled > > (SERVER) > *l1215022:/var/lib/puppet/ssl # pca -l* > notice: Signed certificate request for ca > notice: Rebuilding inventory file > l1311022.our.domain.de (19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E) > *l1215022:/var/lib/puppet/ssl # pca -s --all* > notice: Signed certificate request for l1311022.our.domain.de > notice: Removing file Puppet::SSL::CertificateRequest > l1311022.our.domain.de at > ''/var/lib/puppet/ssl/ca/requests/l1311022.our.domain.de.pem'' > l1215022:/var/lib/puppet/ssl # > > (CLIENT) > *root@l1311022:/var/lib/puppet/ssl$ puppet agent --test* > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for l1311022.our.domain.de > info: Retrieving plugin > err: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed > err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed Could not retrieve file metadata for puppet:// > l1215022.our.domain.de/plugins: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 > read server certificate B: certificate verify failed > > The config files look like this: > > (CLIENT) > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = /var/lib/puppet/ssl > modulepath = /etc/puppet/modules:/opt/puppet/share/puppet/modules > [agent] > certname = l1311022.our.domain.de > server = l1215022.our.domain.de > report = true > graph = true > pluginsync = true > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > > (SERVER) > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = /var/lib/puppet/ssl > certname = l1215022.our.domain.de > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/BsBzM4YU0xYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
It usually involves doing this one the server: puppet cert clean myhost and on the client: rm -rf /var/lib/puppet/ssl Then try it again on your client: `puppet agent --test` Then back to your master: `puppet cert sign myhost`. On Friday, August 10, 2012 8:30:50 AM UTC-4, Axel Bock wrote:> > hm, nevermind, I solved it somehow, although I don''t know how (yet). it > involved a lot of deleting and restarting :) ... > > thanks anyways! > /Axel. > > Am Freitag, 10. August 2012 14:10:57 UTC+2 schrieb Axel Bock: >> >> Hello readers, >> >> I have this little issue that my puppet client refuses to do anything >> because of SSL validation errors. Maybe I''ll just post dump of what >> happens, that makes it clear I hope. Does anyone have a suggestion why that >> might happen? what I already checked: >> >> On the master: >> >> - Puppet and puppetmaster is running >> - Something is listening on Port 8140 (although I cannot >> telnet-connect to it, it closes immediately for whatever reason) >> - in /var/lib/puppet/ssl: find . -type f -delete >> >> On the client: >> >> - in /var/lib/puppet/ssl: find . -type f -delete >> >> I would appreciate any help that''s available ... >> >> thanks & greetings! Axel. >> >> >> ... and now the little dump: >> >> (CLIENT) >> *root@l1311022:/var/lib/puppet/ssl$* *puppet agent --test* >> info: Creating a new SSL key for l1311022.our.domain.de >> warning: peer certificate won''t be verified in this SSL session (2x) >> info: Creating a new SSL certificate request for l1311022.our.domain.de >> info: Certificate Request fingerprint (md5): >> 19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E >> warning: peer certificate won''t be verified in this SSL session (3x) >> Exiting; no certificate found and waitforcert is disabled >> >> (SERVER) >> *l1215022:/var/lib/puppet/ssl # pca -l* >> notice: Signed certificate request for ca >> notice: Rebuilding inventory file >> l1311022.our.domain.de(19:60:00:FE:95:D8:1B:D1:7A:0A:08:C1:1F:E1:94:4E) >> *l1215022:/var/lib/puppet/ssl # pca -s --all* >> notice: Signed certificate request for l1311022.our.domain.de >> notice: Removing file Puppet::SSL::CertificateRequest >> l1311022.our.domain.de at >> ''/var/lib/puppet/ssl/ca/requests/l1311022.our.domain.de.pem'' >> l1215022:/var/lib/puppet/ssl # >> >> (CLIENT) >> *root@l1311022:/var/lib/puppet/ssl$ puppet agent --test* >> warning: peer certificate won''t be verified in this SSL session >> info: Caching certificate for ca >> warning: peer certificate won''t be verified in this SSL session >> info: Caching certificate for l1311022.our.domain.de >> info: Retrieving plugin >> err: /File[/var/lib/puppet/lib]: Failed to generate additional resources >> using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read >> server certificate B: certificate verify failed >> err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed Could not retrieve file metadata for puppet:// >> l1215022.our.domain.de/plugins: SSL_connect returned=1 errno=0 >> state=SSLv3 read server certificate B: certificate verify failed >> err: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 >> read server certificate B: certificate verify failed >> >> The config files look like this: >> >> (CLIENT) >> [main] >> logdir = /var/log/puppet >> rundir = /var/run/puppet >> ssldir = /var/lib/puppet/ssl >> modulepath = /etc/puppet/modules:/opt/puppet/share/puppet/modules >> [agent] >> certname = l1311022.our.domain.de >> server = l1215022.our.domain.de >> report = true >> graph = true >> pluginsync = true >> classfile = $vardir/classes.txt >> localconfig = $vardir/localconfig >> >> (SERVER) >> [main] >> logdir = /var/log/puppet >> rundir = /var/run/puppet >> ssldir = /var/lib/puppet/ssl >> certname = l1215022.our.domain.de >> [agent] >> classfile = $vardir/classes.txt >> localconfig = $vardir/localconfig >> >>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Jx0FJz3FksUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Reasonably Related Threads
- centos 6.2 - puppet 2.7.13 - SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version
- certificate issue with Branch Testing
- Puppet-Dashboard nodes showing up as unreported
- Trying to get tagmail to work
- Puppetmaster setup with separate CA server configuration help