OlliesDad@googlemail.com
2013-Feb-27 08:09 UTC
[Puppet Users] Solaris Certificate Problems
Hello,
Have a fully working setup with mostly Linux clients running on a 2.7.x
master all is good.
Trying to join Solaris clients to this master yields:-
info: Creating a new SSL key for <FQDN>
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for <FQDN>
info: Certificate Request fingerprint (md5):
7D:9C:6E:49:BB:19:06:F8:4C:4D:78:1D:C1:EF:0F:84
warning: peer certificate won''t be verified in this SSL session
debug: Using cached certificate for ca
warning: peer certificate won''t be verified in this SSL session
err: Could not request certificate: time out of range
NTP is running fine on both machines and the time is in sync.
# date
Wed Feb 27 08:04:36 GMT 2013
This is on the client which is the same as all the rest of the Linux
clients.
# openssl x509 -text -in /etc/puppet/ssl/certs/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA: <PUPPETMASTER-FQDN>
Validity
Not Before: Dec 28 11:11:33 2011 GMT
Not After : Dec 27 11:11:33 2016 GMT
Subject: CN=Puppet CA: <PUPPETMASTER-FQDN>
These are using the OpenCSW Solaris packages.
I cannot work out why this is happening.
master logs show:-
Could not find certificate for ''<FQDN>''
Could not find certificate_request for ''<FQDN>''
<FQDN> has a waiting certificate request
Signed certificate request for <FQDN>
Removing file Puppet::SSL::CertificateRequest <FQDN> at
''/etc/puppet/ssl/ca/requests/<FQDN>.pem''
I am really stumped now. Any ideas what it could be, anything else to check
?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
OlliesDad@googlemail.com
2013-Feb-27 15:03 UTC
[Puppet Users] Re: Solaris Certificate Problems
On Wednesday, February 27, 2013 8:09:11 AM UTC, Olli...@googlemail.com wrote: Figured it out in the end. Puppet CA server had ca_ttl=25y in it. Solaris is still packing a 32bit OpenSSL. Which took it over 2038 Set down a few years and it''s fine now. Thanks Solaris.... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Possibly Parallel Threads
- Private key troubles after a new install and a reboot
- Force resigning of existing certificates
- Seperate CA's/Master behind load balancer
- Could not request certificate: Neither PUB key nor PRIV key
- err: Could not retrieve catalog from remote server: certificate verify failed