Puppet users - Nov 2013 - Puppetmaster generated Certificate with "old" CA domainname

Hi All,

I''m facing a very strange problem.

Because I had some mismatching with new agents I decided to remove all my 
cerst and start over. This all goes well, I can sign new agent-certs but 
after that when I run an agent test I get some strange error:

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using ''eval_generate'': SSL_connect returned=1 errno=0
state=SSLv3 read
server certificate B: certificate verify failed: [self signed certificate 
in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for /CN=Puppet 
CA: fm-01.OLD.domain.local] Could not retrieve file metadata for 
puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 
state=SSLv3 read server certificate B: certificate verify failed: [self 
signed certificate in certificate chain for /CN=Puppet CA: 
fm-01.OLD.domain.local]

In the past I changed my Foreman installt from OLD.domain.local to 
domain.local as I don''t needed a subdomain anymore. I changed all kinds
of
things that were needed in Foreman and Puppet and regenerated the certs. 
Everything seemed to go well, unless now.

I have grep -iR ''OLD.domain'' . on all kinds of folders, /etc
and
/var/lib/puppet and I don''t see any strange things, only old logs. Only
in
/usr/lib/jvm/ I see some java cert stuff where the name might be in, but 
that''s just that.

What can I do to solve this as I''m really lost why and how this
evening.

I hope someone can help out.

Thanks!

Matt


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Did you clean the agent cert store out as well?
I''ve run into similar and that''s sorted the issue.

Regards,
Mark Walkom

Infrastructure Engineer
Campaign Monitor
email: markw@campaignmonitor.com
web: www.campaignmonitor.com


On 20 November 2013 10:48, <yamakasi.014@gmail.com> wrote:
> Hi All,
>
> I''m facing a very strange problem.
>
> Because I had some mismatching with new agents I decided to remove all my
> cerst and start over. This all goes well, I can sign new agent-certs but
> after that when I run an agent test I get some strange error:
>
> Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
> using ''eval_generate'': SSL_connect returned=1 errno=0
state=SSLv3 read
> server certificate B: certificate verify failed: [self signed certificate
> in certificate chain for /CN=Puppet CA: fm-01.OLD.domain.local]
> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate
> verify failed: [self signed certificate in certificate chain for /CN=Puppet
> CA: fm-01.OLD.domain.local] Could not retrieve file metadata for
> puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed: [self
> signed certificate in certificate chain for /CN=Puppet CA:
> fm-01.OLD.domain.local]
>
> In the past I changed my Foreman installt from OLD.domain.local to
> domain.local as I don''t needed a subdomain anymore. I changed all
kinds of
> things that were needed in Foreman and Puppet and regenerated the certs.
> Everything seemed to go well, unless now.
>
> I have grep -iR ''OLD.domain'' . on all kinds of folders,
/etc and
> /var/lib/puppet and I don''t see any strange things, only old logs.
Only in
> /usr/lib/jvm/ I see some java cert stuff where the name might be in, but
> that''s just that.
>
> What can I do to solve this as I''m really lost why and how this
evening.
>
> I hope someone can help out.
>
> Thanks!
>
> Matt
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAEM624Yv3vkkjLpDOwNcMCpXgQt9TSwH-84iiMfo5g0kmGjbpA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hi Mark,

Yes I removed /var/lib/puppet/ssl on the agent.

At the moment I get an: Error: Could not request certificate: Connection 
timed out - connect(2)

But what I see on the master when running the agent on a client:

tcp        0      0 10.0.0.250:8140         dhcp-01.domain...:46779 
SYN_RECV   

And that takes a long time and the connection timeout happens.

Matt


Op woensdag 20 november 2013 00:49:31 UTC+1 schreef Mark
Walkom:
>
> Did you clean the agent cert store out as well?
> I''ve run into similar and that''s sorted the issue.
>
> Regards,
> Mark Walkom
>
> Infrastructure Engineer
> Campaign Monitor
> email: ma...@campaignmonitor.com <javascript:>
> web: www.campaignmonitor.com
>  
>
> On 20 November 2013 10:48, <yamaka...@gmail.com <javascript:>>
wrote:
>
>> Hi All,
>>
>> I''m facing a very strange problem.
>>
>> Because I had some mismatching with new agents I decided to remove all
my
>> cerst and start over. This all goes well, I can sign new agent-certs
but
>> after that when I run an agent test I get some strange error:
>>
>> Error: /File[/var/lib/puppet/lib]: Failed to generate additional 
>> resources using ''eval_generate'': SSL_connect
returned=1 errno=0 state=SSLv3
>> read server certificate B: certificate verify failed: [self signed 
>> certificate in certificate chain for /CN=Puppet CA:
fm-01.OLD.domain.local]
>> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
>> verify failed: [self signed certificate in certificate chain for
/CN=Puppet
>> CA: fm-01.OLD.domain.local] Could not retrieve file metadata for 
>> puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0 
>> state=SSLv3 read server certificate B: certificate verify failed: [self
>> signed certificate in certificate chain for /CN=Puppet CA: 
>> fm-01.OLD.domain.local]
>>
>> In the past I changed my Foreman installt from OLD.domain.local to 
>> domain.local as I don''t needed a subdomain anymore. I changed
all kinds of
>> things that were needed in Foreman and Puppet and regenerated the
certs.
>> Everything seemed to go well, unless now.
>>
>> I have grep -iR ''OLD.domain'' . on all kinds of
folders, /etc and
>> /var/lib/puppet and I don''t see any strange things, only old
logs. Only in
>> /usr/lib/jvm/ I see some java cert stuff where the name might be in,
but
>> that''s just that.
>>
>> What can I do to solve this as I''m really lost why and how
this evening.
>>
>> I hope someone can help out.
>>
>> Thanks!
>>
>> Matt
>>
>>
>>  -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to puppet-users...@googlegroups.com <javascript:>.
>> To view this discussion on the web visit 
>>
https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/a411fffa-5f13-4f5b-abbf-707ab4b4c679%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

I have to say, both hosts are in /etc/hosts to be sure it''s not a DNS
issue.

Op woensdag 20 november 2013 01:54:09 UTC+1 schreef
yamaka...@gmail.com:
>
> Hi Mark,
>
> Yes I removed /var/lib/puppet/ssl on the agent.
>
> At the moment I get an: Error: Could not request certificate: Connection 
> timed out - connect(2)
>
> But what I see on the master when running the agent on a client:
>
> tcp        0      0 10.0.0.250:8140         dhcp-01.domain...:46779 
> SYN_RECV   
>
> And that takes a long time and the connection timeout happens.
>
> Matt
>
>
> Op woensdag 20 november 2013 00:49:31 UTC+1 schreef Mark Walkom:
>>
>> Did you clean the agent cert store out as well?
>> I''ve run into similar and that''s sorted the issue.
>>
>> Regards,
>> Mark Walkom
>>
>> Infrastructure Engineer
>> Campaign Monitor
>> email: ma...@campaignmonitor.com
>> web: www.campaignmonitor.com
>>  
>>
>> On 20 November 2013 10:48, <yamaka...@gmail.com> wrote:
>>
>>> Hi All,
>>>
>>> I''m facing a very strange problem.
>>>
>>> Because I had some mismatching with new agents I decided to remove
all
>>> my cerst and start over. This all goes well, I can sign new
agent-certs but
>>> after that when I run an agent test I get some strange error:
>>>
>>> Error: /File[/var/lib/puppet/lib]: Failed to generate additional 
>>> resources using ''eval_generate'': SSL_connect
returned=1 errno=0 state=SSLv3
>>> read server certificate B: certificate verify failed: [self signed 
>>> certificate in certificate chain for /CN=Puppet CA:
fm-01.OLD.domain.local]
>>> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
>>> returned=1 errno=0 state=SSLv3 read server certificate B:
certificate
>>> verify failed: [self signed certificate in certificate chain for
/CN=Puppet
>>> CA: fm-01.OLD.domain.local] Could not retrieve file metadata for 
>>> puppet://fm-01.domain.local/plugins: SSL_connect returned=1 errno=0
>>> state=SSLv3 read server certificate B: certificate verify failed:
[self
>>> signed certificate in certificate chain for /CN=Puppet CA: 
>>> fm-01.OLD.domain.local]
>>>
>>> In the past I changed my Foreman installt from OLD.domain.local to 
>>> domain.local as I don''t needed a subdomain anymore. I
changed all kinds of
>>> things that were needed in Foreman and Puppet and regenerated the
certs.
>>> Everything seemed to go well, unless now.
>>>
>>> I have grep -iR ''OLD.domain'' . on all kinds of
folders, /etc and
>>> /var/lib/puppet and I don''t see any strange things, only
old logs. Only in
>>> /usr/lib/jvm/ I see some java cert stuff where the name might be
in, but
>>> that''s just that.
>>>
>>> What can I do to solve this as I''m really lost why and how
this evening.
>>>
>>> I hope someone can help out.
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>>
>>>  -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send
>>> an email to puppet-users...@googlegroups.com.
>>> To view this discussion on the web visit 
>>>
https://groups.google.com/d/msgid/puppet-users/6185c52d-a2b7-4654-85e7-f9165fd6d7b9%40googlegroups.com
>>> .
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/b814ba1c-36e2-4d06-92fc-cf0fc1bf1e2e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hi,

humm, the TCP handshake fails...?

Is there firewalling on master and/or agent side?

Are you using passenger by the way?

Cheers,
Felix

On 11/20/2013 01:54 AM, yamakasi.014@gmail.com wrote:
> Hi Mark,
> 
> Yes I removed /var/lib/puppet/ssl on the agent.
> 
> At the moment I get an: Error: Could not request certificate: Connection
> timed out - connect(2)
> 
> But what I see on the master when running the agent on a client:
> 
> tcp        0      0 10.0.0.250:8140         dhcp-01.domain...:46779
> SYN_RECV  
> 
> And that takes a long time and the connection timeout happens.
> 
> Matt
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/528DDD54.8060805%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.