Puppet users - Jan 2013 - PuppetDB certificate signature failure for /CN=puppetdb

I regenerated the puppetdb certs according to the instructions here:

Step 3, Option B

https://docs.puppetlabs.com/puppetdb/0.9/install_from_source.html#step-3-option-b-manually-create-a-keystore-and-truststore

And can verify the cert manually using openssl client

#echo "QUIT" | openssl s_client -connect puppetdb:8081  -CAfile 
/etc/ssl/certs/puppetdb.pem  |grep Verify 
    Verify return code: 0 (ok)

However I still get the following:

err: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Failed to submit ''replace facts'' command for
host23.example.com to PuppetDB
at puppetdb:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server 
certificate B: certificate verify failed: [certificate signature failure 
for /CN=puppetdb]

Where do I place the certs so they are validated by the puppetdb terminus?


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/uqqpL4YG9g8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Chris,
> I regenerated the puppetdb certs according to the instructions here:
>
> Step 3, Option B
>
>
https://docs.puppetlabs.com/puppetdb/0.9/install_from_source.html#step-3-option-b-manually-create-a-keystore-and-truststore
>
> And can verify the cert manually using openssl client
>
> #echo "QUIT" | openssl s_client -connect puppetdb:8081  -CAfile
> /etc/ssl/certs/puppetdb.pem  |grep Verify
>     Verify return code: 0 (ok)
>
> However I still get the following:
>
> err: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Failed to submit ''replace facts'' command for
host23.example.com to PuppetDB
> at puppetdb:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server
> certificate B: certificate verify failed: [certificate signature failure
for
> /CN=puppetdb]
>
> Where do I place the certs so they are validated by the puppetdb terminus?
The puppetdb terminus should utilise the certificates from the Puppet
master instance it is running from. So from a client/terminus
perspective, you shouldn''t have to do anything.

It feels like its the certificates on the puppetdb server that is
having trouble. What are the full results of this command, when ran
from the puppetmaster itself?

openssl s_client -connect puppetdb:8081 -CAfile
/var/lib/puppet/ssl/ca/ca_crt.pem

Note: I''m specifying the CA file to be the CA on the puppetmaster in
this case which is what the puppetdb terminus should use, I wasn''t
quite sure /etc/ssl/certs/puppetdb.pem in your case was the correct CA
PEM. Either way, I''m interested in the full output using the
Puppetmasters CA specifically as this is what the puppetdb
terminus/client will use.

Also, what about the contents of the keystore on the puppetdb server
that you configured with those instructions you specified? This is for
example what mine looks like (with the key identifier section
removed):

# keytool -list -v -keystore /etc/puppetdb/ssl/keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: puppetdb1.vm
Creation date: 10-Jan-2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=puppetdb1.vm
Issuer: CN=Puppet CA: puppetdb1.vm
Serial number: 2
Valid from: Wed Jan 09 18:49:41 GMT 2013 until: Tue Jan 09 18:49:41 GMT 2018
Certificate fingerprints:
MD5:  5A:CB:F2:5E:84:27:E8:49:BF:0E:83:3A:3A:A8:EA:09
SHA1: 8F:CA:36:99:93:9F:DB:04:B6:5F:67:45:70:0C:D0:B1:B1:D7:35:D2
SHA256:
D0:C4:C5:D4:FA:14:37:B1:74:F5:D9:EB:78:E0:26:71:06:2F:98:E4:EA:BC:22:6C:E6:40:A4:5A:5E:C5:77:8D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 28 50 75 70 70 65 74   20 52 75 62 79 2F 4F 70  .(Puppet Ruby/Op
0010: 65 6E 53 53 4C 20 49 6E   74 65 72 6E 61 6C 20 43  enSSL Internal C
0020: 65 72 74 69 66 69 63 61   74 65                    ertificate

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: puppet
  DNSName: puppet.vm
  DNSName: puppetdb1.vm
]

(I''ve removed the key identifier)

I''m primarily curious to see that the file is in a valid format, and
that the issuer is the CA of your puppetmaster. Like mine shows under
the ''Issuer'' part. Generally this is what the designation
''signature''
is all about, referenced in your error message ''certificate signature
failure for /CN=puppetdb''.

Beyond that, we''ll want to make sure the CA you have in your
truststore matches the CA on the puppetmaster:

puppetdb # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

puppetdb ca, 10-Jan-2013, trustedCertEntry,
Certificate fingerprint (SHA1):
84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12

puppetmaster # openssl x509 -noout -in
/var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint
SHA1 Fingerprint=84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12

If these don''t match, then your truststore contains the wrong CA file.

ken.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.