Puppet users - Jul 2013 - Certificate errors

Hi all,

I launched a Puppet service a few month ago and it did function pretty well 
for some time.

Last week, I tried to clean old entries but I think I deleted too much 
information as I can no more synchronize my clients.
I get a certificate error :

*[root@REBITPUPPET01 ~]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [certificate signature failure for 
/CN=rebitpuppet01.cegedim]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using ''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed: [certificate signature 
failure for /CN=rebitpuppet01.cegedim]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for 
/CN=rebitpuppet01.cegedim] Could not retrieve file metadata for 
puppet://rebitpuppet01.cegedim/plugins: SSL_connect returned=1 errno=0 
state=SSLv3 read server certificate B: certificate verify failed: 
[certificate signature failure for /CN=rebitpuppet01.cegedim]*

I tried a lot of things following the different threads but I only managed 
to mess a little bit more with my server :-(
At least, I know my truststore should be wrong as "*keytool -list -keystore
/etc/puppetdb/ssl/truststore*" and "*openssl x509 -noout -in 
/var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint*" do not match. The only 
thing is that I do not have the first idea on how to solve this...

Any idea ?

Puppetmaster, dashboard & puppedb are on the same server (Distro = RHEL5.9)
I get the same error even on the puppetmaster server.


Regards


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

OK, I managed to solve my issue by following Reinstalling puppetDB from 
source<http://docs.puppetlabs.com/puppetdb/latest/install_from_source.html#step-3-option-b-manually-create-a-keystore-and-truststore>(Step
3 Option B) even if
/usr/sbin/puppetdb-ssl-setup (option A) did state that the configuration 
was okay.
Regards

On Wednesday, July 3, 2013 5:54:49 PM UTC+2, yannig rousseau
wrote:
>
> Hi all,
>
> I launched a Puppet service a few month ago and it did function pretty 
> well for some time.
>
> Last week, I tried to clean old entries but I think I deleted too much 
> information as I can no more synchronize my clients.
> I get a certificate error :
>
> *[root@REBITPUPPET01 ~]# puppet agent --test
> Warning: Unable to fetch my node definition, but the agent run will 
> continue:
> Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server 
> certificate B: certificate verify failed: [certificate signature failure 
> for /CN=rebitpuppet01.cegedim]
> Info: Retrieving plugin
> Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
> using ''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3
read
> server certificate B: certificate verify failed: [certificate signature 
> failure for /CN=rebitpuppet01.cegedim]
> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
> verify failed: [certificate signature failure for 
> /CN=rebitpuppet01.cegedim] Could not retrieve file metadata for 
> puppet://rebitpuppet01.cegedim/plugins: SSL_connect returned=1 errno=0 
> state=SSLv3 read server certificate B: certificate verify failed: 
> [certificate signature failure for /CN=rebitpuppet01.cegedim]*
>
> I tried a lot of things following the different threads but I only managed 
> to mess a little bit more with my server :-(
> At least, I know my truststore should be wrong as "*keytool -list 
> -keystore /etc/puppetdb/ssl/truststore*" and "*openssl x509
-noout -in
> /var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint*" do not match. The
only
> thing is that I do not have the first idea on how to solve this...
>
> Any idea ?
>
> Puppetmaster, dashboard & puppedb are on the same server (Distro =
RHEL5.9)
> I get the same error even on the puppetmaster server.
>
>
> Regards
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.