yamakasi.014@gmail.com
2013-Nov-19 23:48 UTC
[Puppet Users] Puppetmaster generated Certificate with "old" CA domainname
Hi All, I''m facing a very strange problem. Because I had some mismatching with new agents I decided to remove all my cerst and start over. This all goes well, I can sign new agent-certs but after that when I run an agent test I get some strange error: Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] Could not retrieve file metadata for puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] In the past I changed my Foreman installt from OLD.domain.local to domain.local as I don''t needed a subdomain anymore. I changed all kinds of things that were needed in Foreman and Puppet and regenerated the certs. Everything seemed to go well, unless now. I have grep -iR ''OLD.domain'' . on all kinds of folders, /etc and /var/lib/puppet and I don''t see any strange things, only old logs. Only in /usr/lib/jvm/ I see some java cert stuff where the name might be in, but that''s just that. What can I do to solve this as I''m really lost why and how this evening. I hope someone can help out. Thanks! Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Mark Walkom
2013-Nov-19 23:49 UTC
Re: [Puppet Users] Puppetmaster generated Certificate with "old" CA domainname
Did you clean the agent cert store out as well? I''ve run into similar and that''s sorted the issue. Regards, Mark Walkom Infrastructure Engineer Campaign Monitor email: markw@campaignmonitor.com web: www.campaignmonitor.com On 20 November 2013 10:48, <yamakasi.014@gmail.com> wrote:> Hi All, > > I''m facing a very strange problem. > > Because I had some mismatching with new agents I decided to remove all my > cerst and start over. This all goes well, I can sign new agent-certs but > after that when I run an agent test I get some strange error: > > Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed: [self signed certificate > in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] > Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [self signed certificate in certificate chain for /CN=Puppet > CA: fm-01.OLD.domain.local] Could not retrieve file metadata for > puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed: [self > signed certificate in certificate chain for /CN=Puppet CA: > fm-01.OLD.domain.local] > > In the past I changed my Foreman installt from OLD.domain.local to > domain.local as I don''t needed a subdomain anymore. I changed all kinds of > things that were needed in Foreman and Puppet and regenerated the certs. > Everything seemed to go well, unless now. > > I have grep -iR ''OLD.domain'' . on all kinds of folders, /etc and > /var/lib/puppet and I don''t see any strange things, only old logs. Only in > /usr/lib/jvm/ I see some java cert stuff where the name might be in, but > that''s just that. > > What can I do to solve this as I''m really lost why and how this evening. > > I hope someone can help out. > > Thanks! > > Matt > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAEM624Yv3vkkjLpDOwNcMCpXgQt9TSwH-84iiMfo5g0kmGjbpA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
yamakasi.014@gmail.com
2013-Nov-20 00:54 UTC
Re: [Puppet Users] Puppetmaster generated Certificate with "old" CA domainname
Hi Mark, Yes I removed /var/lib/puppet/ssl on the agent. At the moment I get an: Error: Could not request certificate: Connection timed out - connect(2) But what I see on the master when running the agent on a client: tcp 0 0 10.0.0.250:8140 dhcp-01.domain...:46779 SYN_RECV And that takes a long time and the connection timeout happens. Matt Op woensdag 20 november 2013 00:49:31 UTC+1 schreef Mark Walkom:> > Did you clean the agent cert store out as well? > I''ve run into similar and that''s sorted the issue. > > Regards, > Mark Walkom > > Infrastructure Engineer > Campaign Monitor > email: ma...@campaignmonitor.com <javascript:> > web: www.campaignmonitor.com > > > On 20 November 2013 10:48, <yamaka...@gmail.com <javascript:>> wrote: > >> Hi All, >> >> I''m facing a very strange problem. >> >> Because I had some mismatching with new agents I decided to remove all my >> cerst and start over. This all goes well, I can sign new agent-certs but >> after that when I run an agent test I get some strange error: >> >> Error: /File[/var/lib/puppet/lib]: Failed to generate additional >> resources using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 >> read server certificate B: certificate verify failed: [self signed >> certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] >> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed: [self signed certificate in certificate chain for /CN=Puppet >> CA: fm-01.OLD.domain.local] Could not retrieve file metadata for >> puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 >> state=SSLv3 read server certificate B: certificate verify failed: [self >> signed certificate in certificate chain for /CN=Puppet CA: >> fm-01.OLD.domain.local] >> >> In the past I changed my Foreman installt from OLD.domain.local to >> domain.local as I don''t needed a subdomain anymore. I changed all kinds of >> things that were needed in Foreman and Puppet and regenerated the certs. >> Everything seemed to go well, unless now. >> >> I have grep -iR ''OLD.domain'' . on all kinds of folders, /etc and >> /var/lib/puppet and I don''t see any strange things, only old logs. Only in >> /usr/lib/jvm/ I see some java cert stuff where the name might be in, but >> that''s just that. >> >> What can I do to solve this as I''m really lost why and how this evening. >> >> I hope someone can help out. >> >> Thanks! >> >> Matt >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com >> . >> For more options, visit https://groups.google.com/groups/opt_out. >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a411fffa-5f13-4f5b-abbf-707ab4b4c679%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
yamakasi.014@gmail.com
2013-Nov-20 01:03 UTC
Re: [Puppet Users] Puppetmaster generated Certificate with "old" CA domainname
I have to say, both hosts are in /etc/hosts to be sure it''s not a DNS issue. Op woensdag 20 november 2013 01:54:09 UTC+1 schreef yamaka...@gmail.com:> > Hi Mark, > > Yes I removed /var/lib/puppet/ssl on the agent. > > At the moment I get an: Error: Could not request certificate: Connection > timed out - connect(2) > > But what I see on the master when running the agent on a client: > > tcp 0 0 10.0.0.250:8140 dhcp-01.domain...:46779 > SYN_RECV > > And that takes a long time and the connection timeout happens. > > Matt > > > Op woensdag 20 november 2013 00:49:31 UTC+1 schreef Mark Walkom: >> >> Did you clean the agent cert store out as well? >> I''ve run into similar and that''s sorted the issue. >> >> Regards, >> Mark Walkom >> >> Infrastructure Engineer >> Campaign Monitor >> email: ma...@campaignmonitor.com >> web: www.campaignmonitor.com >> >> >> On 20 November 2013 10:48, <yamaka...@gmail.com> wrote: >> >>> Hi All, >>> >>> I''m facing a very strange problem. >>> >>> Because I had some mismatching with new agents I decided to remove all >>> my cerst and start over. This all goes well, I can sign new agent-certs but >>> after that when I run an agent test I get some strange error: >>> >>> Error: /File[/var/lib/puppet/lib]: Failed to generate additional >>> resources using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 >>> read server certificate B: certificate verify failed: [self signed >>> certificate in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local] >>> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect >>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >>> verify failed: [self signed certificate in certificate chain for /CN=Puppet >>> CA: fm-01.OLD.domain.local] Could not retrieve file metadata for >>> puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 >>> state=SSLv3 read server certificate B: certificate verify failed: [self >>> signed certificate in certificate chain for /CN=Puppet CA: >>> fm-01.OLD.domain.local] >>> >>> In the past I changed my Foreman installt from OLD.domain.local to >>> domain.local as I don''t needed a subdomain anymore. I changed all kinds of >>> things that were needed in Foreman and Puppet and regenerated the certs. >>> Everything seemed to go well, unless now. >>> >>> I have grep -iR ''OLD.domain'' . on all kinds of folders, /etc and >>> /var/lib/puppet and I don''t see any strange things, only old logs. Only in >>> /usr/lib/jvm/ I see some java cert stuff where the name might be in, but >>> that''s just that. >>> >>> What can I do to solve this as I''m really lost why and how this evening. >>> >>> I hope someone can help out. >>> >>> Thanks! >>> >>> Matt >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to puppet-users...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com >>> . >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b814ba1c-36e2-4d06-92fc-cf0fc1bf1e2e%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Felix Frank
2013-Nov-21 10:15 UTC
Re: [Puppet Users] Puppetmaster generated Certificate with "old" CA domainname
Hi, humm, the TCP handshake fails...? Is there firewalling on master and/or agent side? Are you using passenger by the way? Cheers, Felix On 11/20/2013 01:54 AM, yamakasi.014@gmail.com wrote:> Hi Mark, > > Yes I removed /var/lib/puppet/ssl on the agent. > > At the moment I get an: Error: Could not request certificate: Connection > timed out - connect(2) > > But what I see on the master when running the agent on a client: > > tcp 0 0 10.0.0.250:8140 dhcp-01.domain...:46779 > SYN_RECV > > And that takes a long time and the connection timeout happens. > > Matt-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/528DDD54.8060805%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out.