genanr@allantgroup.com
2013-May-31 21:36 UTC
[Puppet Users] Problems with puppetdb and SSL
When I run openssl s_client -host puppet -port 8081 -CAfile /etc/puppet/ssl/certs/puppet.fqdn I get Verify return code: 21 (unable to verify the first certificate). If I run the same command, but use port 8140 to connect to puppet, I get a return code of 19 (which is correct). I believe that, if I fix this SSL problem then it would fix my main problem which is : Report processor failed: Failed to submit ''store report'' command for puppet1.allantgroup.com to PuppetDB at fqdn:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=fqdn] I have puppetdb in the dns_alt_names line in puppet.conf Why does it work on 8140. but not 8081? How can I fix this problem? Thanks, Andy -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Seems like to me the SSL loaded into PuppetDB (the port 8081 you mention) is not valid. A simple activity would be to use our provided tool to reload the certificates again: * Move /etc/puppetdb/ssl to ssl.bak to preserve the original * Backup /etc/puppetdb/conf.d/jetty.ini to say jetty.ini.bak to preserve the original again * Run puppetdb-ssl-setup -f This will try to obtain the certificates from your puppet agent installation and load them into the relevant keystores for PuppetDB. If this doesn''t help, let me know. ken. On Fri, May 31, 2013 at 10:36 PM, genanr@allantgroup.com <andyr7777777@gmail.com> wrote:> When I run > > openssl s_client -host puppet -port 8081 -CAfile > /etc/puppet/ssl/certs/puppet.fqdn > > I get Verify return code: 21 (unable to verify the first certificate). > > If I run the same command, but use port 8140 to connect to puppet, I get a > return code of 19 (which is correct). > > I believe that, if I fix this SSL problem then it would fix my main problem > which is : > > Report processor failed: Failed to submit ''store report'' command for > puppet1.allantgroup.com to PuppetDB at fqdn:8081: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed: > [certificate signature failure for /CN=fqdn] > > I have puppetdb in the dns_alt_names line in puppet.conf > > Why does it work on 8140. but not 8081? How can I fix this problem? > > Thanks, > > Andy > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
genanr@allantgroup.com
2013-Jun-03 16:57 UTC
[Puppet Users] Re: Problems with puppetdb and SSL
Thanks, that solved the ssl problem. Andy On Friday, May 31, 2013 4:36:04 PM UTC-5, gen...@allantgroup.com wrote:> > When I run > > openssl s_client -host puppet -port 8081 -CAfile > /etc/puppet/ssl/certs/puppet.fqdn > > I get Verify return code: 21 (unable to verify the first certificate). > > If I run the same command, but use port 8140 to connect to puppet, I get a > return code of 19 (which is correct). > > I believe that, if I fix this SSL problem then it would fix my main > problem which is : > > Report processor failed: Failed to submit ''store report'' command for > puppet1.allantgroup.com to PuppetDB at fqdn:8081: SSL_connect returned=1 > errno=0 state=SSLv3 read server certificate B: certificate verify failed: > [certificate signature failure for /CN=fqdn] > > I have puppetdb in the dns_alt_names line in puppet.conf > > Why does it work on 8140. but not 8081? How can I fix this problem? > > Thanks, > > Andy > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.