Dhanarajan Ponnurangam
2013-Dec-12 09:14 UTC
[Puppet Users] Need help in addressing this error - ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
Hi ,
I am new to this puppet. I am implementing a network where my cisco switch
will contact the puppet server for getting the configuration.
I tried installing open source puppet and was successful in pushing down
the configurations.
I wanted then to try the same exercise with puppet enterprise 3.1. I
installed puppet enterprise in a different server and changed my puppet
agent (switch) to reflect this new server as the puppet master.
I have autosign.conf created under /etc/puppet-labs/puppet/ with the entry
*.<domain_name>.com. I have site.pp and other files specific for cisco
device as I had in previous exercise(open source puppet).
When I initiaite the puppet master using the command "puppet master -d
--no-daemonize" I see the following error in
/var/log/pe-puppet/masterhttp.log,
I did a websearch and tried all the options available, but still the error
pops out continuously. Not sure if am missing anything.
Could anyone please help me in addressing the below issue.
Appreciate your inputs on the same.
[2013-12-12 08:55:39] INFO WEBrick 1.3.1
[2013-12-12 08:55:39] INFO ruby 1.9.3 (2013-06-27) [x86_64-linux]
[2013-12-12 08:55:39] DEBUG TCPServer.new(0.0.0.0, 8140)
[2013-12-12 08:55:39] INFO
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Puppet CA generated on savbu-razor-server.cisco.com at
2013-12-10 05:05:10 -0800
Validity
Not Before: Dec 11 16:55:39 2013 GMT
Not After : Dec 11 16:55:39 2018 GMT
Subject: CN=10.193.174.38
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c2:a9:e2:8b:17:21:ca:65:65:9b:d2:76:0c:06:
d9:aa:4c:6c:df:55:45:7a:34:5a:a6:ab:af:7a:cc:
5d:a7:23:3e:66:61:9d:70:cf:4b:2c:d0:7f:dd:3a:
a6:95:ee:83:39:5d:ee:1b:f1:1c:29:71:68:dc:37:
c5:e7:c9:d0:cc:05:22:2c:c7:a9:18:10:ff:2b:1f:
76:43:96:64:44:9d:79:9d:8b:81:2d:da:d7:5b:25:
10:cc:4c:c3:93:7e:83:08:19:41:fe:93:a7:c0:8f:
60:bc:aa:f9:5d:3d:f1:95:8e:73:38:ac:64:71:46:
67:88:83:34:a2:9e:a1:6e:4b:27:ce:94:27:82:b4:
c9:0c:fc:a7:4f:93:d5:20:f6:4a:14:68:87:d8:8e:
8c:1b:5c:47:06:e2:b6:f4:37:d2:60:f7:e3:d7:bf:
e0:21:b2:a7:10:1b:92:1b:4f:ef:cc:f1:dc:f8:57:
29:81:09:06:b1:00:aa:e5:76:23:12:6f:10:b3:63:
8a:8c:2b:08:46:10:66:e5:4a:3a:ab:b4:b9:4c:67:
5f:9e:01:46:45:dd:19:bf:c1:ad:1a:c3:19:3a:a5:
0d:28:96:41:9b:67:16:7e:98:92:ec:46:86:ee:e1:
07:87:62:56:32:7f:05:f6:89:c6:b1:e4:85:7e:52:
10:4e:b6:fd:11:e3:74:dd:4e:48:90:11:9a:aa:95:
59:92:9a:88:a5:99:45:00:82:68:c7:93:fb:5f:13:
04:1d:75:87:4d:f7:97:62:08:ce:5d:19:ee:6f:71:
d2:cf:f9:46:4e:a2:8e:3b:a7:00:55:2c:e2:0e:ee:
56:d7:62:8f:9b:d8:20:6f:f7:e4:8c:f9:69:6c:d5:
b5:9f:53:68:ed:d8:85:0a:1f:4d:41:36:2b:9c:a3:
81:b0:77:78:8e:6e:47:c2:6e:00:ca:4d:f9:32:1e:
0f:98:8a:14:0d:f7:dd:ed:55:06:ae:62:3d:73:0c:
35:23:be:a2:9a:69:84:2e:e5:5b:9c:ca:8f:f7:02:
b9:1b:1a:e2:66:47:e2:7c:55:21:42:78:0e:dd:7e:
1a:cd:ad:6e:e1:f5:cc:42:b4:fd:cb:23:73:cf:58:
8d:ad:5a:b3:f1:f0:eb:fd:98:96:c0:54:c8:1a:64:
8a:a3:a1:e2:67:ca:dc:76:4a:cb:7b:e5:55:54:31:
c1:6c:7b:03:16:cb:b1:d6:dd:10:1e:c8:e8:34:d1:
22:b8:33:95:72:6c:48:75:65:35:e8:6f:17:66:7b:
34:10:d8:b8:2b:8c:ef:70:68:b3:62:b3:62:ac:30:
21:74:49:c6:c1:34:9c:ac:be:e8:da:04:79:e9:d7:
60:44:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Subject Alternative Name:
DNS:10.193.174.38, DNS:puppet, DNS:puppet.cisco.com,
DNS:savbu-razor-server.cisco.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
5B:08:3C:EA:AE:04:4E:A5:DF:FB:8A:77:73:F8:04:31:76:DD:F1:E4
Signature Algorithm: sha256WithRSAEncryption
d0:94:b2:9d:8f:06:db:2c:57:92:a8:d6:2c:e8:26:bd:7e:38:
ac:ea:79:38:13:f4:02:0b:23:5b:1d:44:8d:75:a8:87:69:57:
03:83:cf:1c:a9:1b:9c:60:78:80:74:56:68:3d:9d:11:14:7d:
cf:d0:9c:d5:96:1f:11:63:07:c9:57:d1:b3:24:63:b7:6e:63:
9d:9a:28:bc:34:a7:7f:19:f2:d4:39:0c:e8:3f:89:72:96:7f:
2a:61:f2:b6:ef:2d:7c:b2:a5:2e:61:f8:dc:60:dd:dc:2f:6e:
25:5f:05:19:de:39:6a:af:4d:49:e4:f0:86:00:3a:95:e2:84:
2e:37:74:25:99:f8:0e:15:57:5a:43:d8:54:db:65:35:85:0a:
6e:aa:95:ff:11:95:4c:0d:f2:e9:35:2e:d3:22:b2:7d:cf:f4:
97:0c:3c:eb:35:2e:27:83:9f:7f:7c:8e:36:df:d6:b1:4c:d5:
02:d1:ba:f9:52:db:96:45:8e:21:d2:4f:fd:73:6e:ac:4a:c6:
08:50:73:28:64:03:2f:fb:26:af:41:24:a9:97:e2:81:b1:81:
c2:d6:fc:fa:4c:8b:a9:22:9c:a1:13:24:94:ca:9b:f3:61:3a:
d8:28:16:c4:8c:77:c2:28:bc:a4:67:5a:cc:8c:b6:08:15:ce:
7a:90:fb:61:a7:cd:9b:d9:c5:18:bb:31:9e:be:29:cf:e3:21:
58:22:89:60:db:5d:f0:42:2b:25:58:ca:7a:b8:cb:eb:18:27:
6f:6d:af:66:61:c9:83:94:cd:c2:5f:11:3a:59:e5:18:60:48:
2a:5e:6f:91:70:1a:81:dc:f2:f1:4d:c9:5e:49:e9:81:39:ed:
9b:e0:d5:ab:0e:42:61:6a:19:d8:a7:25:0d:b5:09:05:f7:2e:
5b:5b:67:6e:7c:7b:9a:e9:29:42:40:0b:97:88:e9:a9:82:87:
ad:af:59:6a:2c:e3:35:6e:a0:26:a2:4f:5f:d6:2c:c1:ab:e5:
89:3b:df:44:e9:60:1e:6f:10:70:f4:f1:80:50:20:38:e5:1a:
cb:5b:53:a2:44:71:f2:a3:af:58:3e:83:65:f1:60:30:b7:09:
32:9b:42:3e:88:d5:27:6d:0b:8e:fa:28:da:b2:a9:65:81:4b:
ab:50:e9:b0:bd:ec:fb:0b:3c:69:20:f8:df:ff:6d:93:1d:77:
60:77:8d:48:45:c0:38:e4:77:6a:3a:09:c9:51:b4:bc:29:bd:
61:e2:b7:f5:30:ed:e3:e1:ae:cd:32:18:e0:d1:7c:b0:ff:ca:
ae:f0:cc:a1:3a:27:b5:38:5c:56:ab:4c:f4:8c:1a:18:ca:3b:
d8:2c:23:3c:3d:4f:18:e0
[2013-12-12 08:55:39] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted
on /.
[2013-12-12 08:55:39] INFO WEBrick::HTTPServer#start: pid=4808 port=8140
[2013-12-12 08:56:07] DEBUG accept: 10.193.174.147:32849
[2013-12-12 08:56:07] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1
errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in
`accept''
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in
`block (3 levels) in listen''
/opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `call''
/opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `block in
start_thread''
[2013-12-12 08:56:07] DEBUG close: 10.193.174.147:32849
[2013-12-12 08:56:07] DEBUG accept: 10.193.174.147:32918
[2013-12-12 08:56:07] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1
errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in
`accept''
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/network/http/webrick.rb:34:in
`block (3 levels) in listen''
/opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `call''
/opt/puppet/lib/ruby/1.9.1/webrick/server.rb:191:in `block in
start_thread''
[2013-12-12 08:56:07] DEBUG close: 10.193.174.147:32918
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1622caa2-be1b-4ad1-b0d2-1d2361cbc066%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Dec-12 14:48 UTC
[Puppet Users] Re: Need help in addressing this error - ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
On Thursday, December 12, 2013 3:14:09 AM UTC-6, Dhanarajan Ponnurangam wrote:> > > Hi , > > I am new to this puppet. I am implementing a network where my cisco switch > will contact the puppet server for getting the configuration. > I tried installing open source puppet and was successful in pushing down > the configurations. > > I wanted then to try the same exercise with puppet enterprise 3.1. I > installed puppet enterprise in a different server and changed my puppet > agent (switch) to reflect this new server as the puppet master. > I have autosign.conf created under /etc/puppet-labs/puppet/ with the > entry *.<domain_name>.com. I have site.pp and other files specific for > cisco device as I had in previous exercise(open source puppet). > When I initiaite the puppet master using the command "puppet master -d > --no-daemonize" I see the following error in > /var/log/pe-puppet/masterhttp.log, > >The agent created a certificate when it first ran, and requested that the original master -- which by default serves as CA -- to sign it. When you point that agent at a different master that, like the first, serves as its own CA, the agent continues to use its existing certificate. The new master does not recognize the original one as a trusted CA, however, so it rejects the agent''s certificate. If necessary, it is possible to configure your masters to use a central CA instead of each serving as its own. If something like that is not done, however, then you need to clean out agents'' certificates when you transfer them between masters. To do so, simply delete the client''s entire puppet SSL directory, typically located at /var/lib/puppet/ssl. (But not on your master!) You will typically then also want to revoke the client''s certificate and delete it from the original master ("puppet cert clean <certname>" for Puppet OS), though it''s not strictly necessary to do so. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1ce004ab-b30d-421a-bb9a-ab674b55f6bc%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.