btb
2013-Aug-07 14:32 UTC
[Puppet Users] new install with external ca - puppet agent complains "wrong public key type"
hi-
i''m setting up a new puppet environment, with an existing, separate ca.
to that end, i''ve been referring to this document:
http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html
here is my agent config:
[main]
vardir = /var/lib/puppet
rundir = /var/run/puppet
logdir = /var/log/puppet
ssldir = $vardir/ssl
templatedir = $confdir/templates
server = config.example.com
[agent]
hostprivkey = /etc/puppet/pki/$certname-key.pem
hostpubkey = /etc/puppet/pki/$certname-key-public.pem
hostcert = /etc/puppet/pki/$certname-cert.pem
localcacert = /etc/pki/trusted_root_authorities/ca-certificates.crt
certificate_revocation = false
when starting the puppet agent, the following is logged:
Aug 7 09:07:38 fester puppet-agent[5281]: Starting Puppet client
version 3.2.2
Aug 7 09:07:38 fester puppet-agent[5281]: Reopening log files
Aug 7 09:07:43 fester puppet-agent[5287]: Unable to fetch my node
definition, but the agent run will continue:
Aug 7 09:07:43 fester puppet-agent[5287]: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify
failed: [wrong public key type]
Aug 7 09:07:43 fester puppet-agent[5287]: Retrieving plugin
Aug 7 09:07:43 fester puppet-agent[5287]: (/File[/var/lib/puppet/lib])
Failed to generate additional resources using ''eval_generate:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed: [wrong public key type]
Aug 7 09:07:44 fester puppet-agent[5287]: (/File[/var/lib/puppet/lib])
Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [wrong public key type]
Could not retrieve file metadata for
puppet://config.example.com/plugins: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [wrong
public key type]
Aug 7 09:07:44 fester puppet-agent[5287]: Could not retrieve catalog
from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [wrong public key type]
Aug 7 09:07:44 fester puppet-agent[5287]: Using cached catalog
Aug 7 09:07:44 fester puppet-agent[5287]: Could not retrieve catalog;
skipping run
Aug 7 09:07:44 fester puppet-agent[5287]: Could not send report:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed: [wrong public key type]
openssl seems to indicate the public key is at least valid within a
general context:
>openssl pkey -pubin -in $(puppet agent --configprint hostpubkey) -text
-noout
Public-Key: (4096 bit)
Modulus:
00:d1:be:fc:cb:7c:76:e1:16:f1:b4:92:e9:c4:e5:
f0:9b:a4:da:8a:b5:89:7c:2c:c5:7f:4d:b5:08:5d:
fa:1a:6a:b2:76:c2:8c:92:23:66:75:66:50:53:8e:
15:c8:94:c8:6d:cd:b6:b3:a8:f5:25:69:d4:f9:71:
07:dd:32:8c:f0:17:3d:33:a1:10:0f:fd:a0:b6:0d:
d4:e9:3e:35:a6:3d:64:16:c9:26:a4:fc:07:da:2c:
74:7b:84:8b:6a:12:e1:2b:f1:3c:b8:34:e4:45:ec:
fb:68:2b:c5:00:a4:90:91:b6:a9:5f:01:88:31:cc:
98:a9:97:f1:c4:ea:81:e0:9f:da:55:a3:c6:95:7b:
b5:25:0a:bc:eb:d1:ef:56:7f:88:10:7b:e7:8a:4f:
d9:d0:67:e4:b3:84:f0:37:f3:b9:71:c8:0c:06:75:
a3:68:43:f0:ab:47:32:96:01:4d:a0:b4:fd:49:0f:
44:30:d2:48:2f:33:1c:48:1b:0b:d4:05:2c:b6:35:
42:ca:16:b3:da:7b:f1:27:c0:52:75:ac:09:c6:3b:
97:0a:dc:1f:b1:24:f4:43:f9:ce:f0:9d:e1:62:37:
cb:3c:7f:4a:2e:65:52:de:9d:9d:d9:28:51:69:69:
a9:1b:c1:aa:87:e4:ad:66:c2:a4:1c:e5:20:85:2a:
b2:fe:94:c1:b1:4c:df:1b:e2:e2:39:80:6b:b5:31:
44:07:08:3d:1b:a3:b3:6a:a2:f9:fd:ae:fc:de:f5:
78:fd:92:10:5d:09:cd:78:e0:6d:3a:84:93:55:f9:
7e:e6:8b:89:e9:72:e5:07:c3:48:0e:fc:c8:5a:16:
90:18:fa:6f:6e:fc:b2:5f:9b:bd:6d:85:cb:f0:62:
0b:d5:c0:50:a2:af:23:be:85:5f:5c:42:42:58:65:
c5:39:56:4b:b1:b9:31:03:fe:44:43:02:05:92:28:
f5:30:de:18:42:bd:66:87:04:ad:7d:0b:14:8d:ba:
e4:5a:09:04:e3:75:1a:db:68:11:e8:c5:3e:28:a2:
4d:41:20:94:10:37:d5:13:1e:7d:e9:54:fe:ea:86:
b9:cf:fa:30:83:6d:d5:bc:9c:61:9c:19:e5:4a:ba:
bb:d8:2f:a0:57:50:65:3e:bd:35:7e:40:02:ec:0d:
00:df:e5:e8:c8:c0:5f:ee:da:5a:d8:2a:bf:6e:bb:
d8:70:b0:6d:0d:4a:e4:35:61:b4:8e:98:c0:2d:9a:
bb:b4:e7:80:49:f4:0c:58:77:da:d7:bc:4f:9f:b8:
08:ef:05:5f:3b:ba:d2:24:58:ae:94:be:6b:5d:9f:
c7:56:54:f7:b4:08:bc:93:f8:17:8a:26:7c:45:3c:
77:2a:5b
Exponent: 65537 (0x10001)
how can i further troubleshoot what is wrong? i''ve not been able to
find any references to "wrong public key type" in my research so far.
regards
-ben
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.