I have a problem with openconnect VPN using TPM and certificate.
Using certificate file /etc/pki/XXXX/XXXXX.crt
Error importing PKCS#11 URL pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=XXXXX-TPM2-TOKEN;id=%30%32;object=XXXXX-RSA2048-keypair;type=private: The requested PKCS #11 object is not available
Loading certificate failed. Aborting.
Failed to open HTTPS connection to YYYYY.com
What can I do to find the root cause?
Related
I am new to puppet I got this error on the puppet slave. After a bit of research on the internet, I found a solution that works, unfortunately, there was not a precise explanation as to the cause of the error or what the code was doing that fixed the issue. I really do not appreciate copy and pasting codes without understanding what the code is doing and how it was fixed/ I would really appreciate it if I can get an explanation of why the error occurred and what the code is doing to fix this issue thanks.
Error Message
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect SYSCALL returned=5 errno=0 state=unknown state
Solution
[root#host ~]# puppet config print ssldir
/etc/puppetlabs/puppet/ssl
[root#host ~]# mkdir /tmp/puppet-ssl-orig
[root#host ~]# mv /etc/puppetlabs/puppet/ssl/* /tmp/puppet-ssl-orig
[root#host ~]# puppet agent -t
The error messages you present show that the problem revolved around the agent failing to establish an SSL connection with the master. There isn't enough information in the messages themselves or the other materials presented to determine a priori the specific nature of the problem, but the mitigation you performed was to remove all the agent's stored certificates (including its own). From the fact that this solved the problem, we can deduce that the agent was rejecting the master's host certificate.
Very likely this situation arose from the agent previously having synced with a master, but then trying to request a catalog from a cryptographically different master. For example, reinstalling Puppet on the master will typically wipe out any previous cryptographic certificates, which could produce this effect. Or this is also what you would expect to happen if a bona fide evil actor tried to impersonate the real master with one under their own control (unless they had managed to steal the real master's certs).
In any event, wiping out the agent's existing certs would cause it to
generate a new certificate for itself and a corresponding certificate-signing request
accept the master's certificate and CA certificate upon the next catalog request, and submit the CSR
accept a new signed certificate for itself from the master
That all the certificate-signing bits succeeded indicates also that the master had no record of a certificate previously issued to this particular agent, which also supports the theory of the master having been swapped out from under the agent.
Puppet sucks and this SSL nonsense is one of the big reasons.
Here is the quick and dirty way, for CentOS 7 and puppet 6 I believe.
Note that this removes the certs on both sides so if other clients used the master, you will have to reset them too.
Conditions : hostname op both client and server is known to both ( for example host entries in /etc/hosts with proper name and IP, or DNS ).
On the master:
rm -rf $(puppet master --configprint ssldir)
systemctl restart puppetmaster
On the client:
rm -rf /etc/puppetlabs/puppet/ssl/
puppet agent --test --verbose #( agent run creates/requests certs )
Then on the master again:
puppet cert sign --all
Then run the agent again and it should work.
It depends on the puppet version if intermediate CA certificates are used with all problems with that and there are incompatibilities between versions too.
Below is the problem:
I compiled apache http server 2.4.34 with Openssl 1.0.2p.
When I use the ciphersuite supporting TLSv1.2, TLSv1.1, TLSv1(Intermediate compatibility), It works.
But I get below error when I use high security CipherSuite supporting only TLSv1.2(Modern Compatibility).
Error in apache debug logs:::
SSL Library Error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher -- Too restrictive SSLCipherSuite or using DSA server certificate
Ciphersuite(Modern) from "https://wiki.mozilla.org/Security/Server_Side_TLS":::
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Please help me solve this issue.
The client does not have your RSA certificate
I have to give up using PE to set up my puppet master :( and I have been throw in the cold cruel Opensource Puppet world.
I have been trying to set up a opensource puppet master on a RHEL7 system. I am planning to do this a couple of times so wrote a very simple shell script. Here's the script:
#!/bin/sh
pc_rpm_name='puppetlabs-release-pc1'
pc_yum_repo_url="https://yum.puppetlabs.com/${pc_rpm_name}-el-7.noarch.rpm"
# set up puppet collection yum repo
rpm -Uvh $pc_yum_repo_url
yum -y install puppetserver
systemctl start puppetserver
/opt/puppetlabs/bin/puppet module install puppetlabs-puppetdb --version 5.1.2
I have a puppet master puppet class I wrote it is very simple:
class my_puppetmaster {
class { 'puppetdb': listen_address => %{::fqdn} }"
include puppetdb::master::config
}
I want to use hiera for my node classification so I have done this:
# pwd
/etc/puppetlabs/code/environments/production/manifests
# cat site.pp
hiera_include('classes')
I have also created this file:
# pwd
/etc/puppetlabs/code/environments/production/hieradata/nodes
# cat puppet_master.yaml
classes:
- my_puppetmaster
And here is my hiera.yaml file:
# pwd
/etc/puppetlabs/puppet
# head hiera.yaml
---
:backends:
- yaml
:hierarchy:
- "nodes/%{::trusted.certname}"
- "nodes/%{::role}"
...
I haven't gotten around to set up a custom fact yet. I figure I could testing out at the point by rebooting the system to give everything a good shake out and then running puppet agent -t and see what happens. When I run puppet agent -t on the puppet master I get this output:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
I guess I left something out of my set up script. So ... what did I miss?
Thanks
Red
I forgot to update my puppet.conf. I had "server = puppet" I need to change that to "server = fqdn of my puppet master"
I'm trying to connect my puppetmaster and my puppet client. I've been having trouble with the certificates. I was originally trying to use the puppetmaster's IP address (because we don't have DNS set up), but now I think I'll have to edit the hosts file when I set up a new machine to map puppet to its ip.
So once I do that, I'm still having issues. Some background: on the master, I had tried to get rid of the server certificate a few times and recreate a new one. I think that's causing the problem because the log is saying it was revoked. devtest is the puppet agent.
This is what happens when I try to test the agent.
[root#devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
If I'm understanding the first error properly, it's saying the certificate presented by the master server for servername.mydomain.com has been revoked. (I've edited the log to remove the actual server name and domain).
So I want to have puppetmaster serve up a new certificate. I go onto it, and stop the Apache service (so it doesn't hold the certificate in memory).
I then delete the ssl folder, and try to regenerate the puppet certificate:
[ZachDev#mon puppet]$ sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 17:F7:19:23:E6:99:BD:DD:3D:E6:F1:DD:35:8A:A6:81:8D:96:7D:15:63:EC:51:21:65:96:D1:24:FA:97:1B:07
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for 10.128.119.155
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for 10.128.119.155
Info: Certificate Request fingerprint (SHA256): BE:C8:B9:FF:1F:7A:49:1F:4F:97:E4:37:A3:9E:12:19:6F:41:3B:DB:DE:CB:AA:03:D8:02:94:D1:68:49:13:9C
Notice: 10.128.119.155 has a waiting certificate request
Notice: Signed certificate request for 10.128.119.155
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/ca/requests/10.128.119.155.pem'
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/certificate_requests/10.128.119.155.pem'
Notice: Starting Puppet master version 3.6.2
^CNotice: Caught INT; calling stop
That worked. Now I restart Apache, and get an error. systemctl status httpd.service doesn't say anything useful, but /var/log/httpd/puppet-server-example.com_ssl_error.log does:
[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
At this point, I'm just guessing at what the config file settings should be. I assume some config files need to be changed -- either the Apache config or the Puppet config, but at this point I'm not sure what the right certificates are. I have certificates in /var/lib/puppet/ssl and in /etc/puppet/ssl.
There are multiple issues with your setup. You are indeed right that you need to
pick an FQDN for the master and make sure the agents can resolve it
via respective hosts file or
through dnsmasq
tell the master to use that name as its SSL CN
First, make sure the master uses the correct name. Add this to /etc/puppet/puppet.conf on the master:
[master]
certname=server.mydomain.com
Restart the master. It should sign a new certificate for itself (note how it considered 10.128.119.155 to be its name and used that as the CN - this is not sensible).
Next, make sure Apache uses this certificate instead of the CA certificate.
SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem
(You can make sure /var/lib/puppet/ssl is the correct path using puppet master --configprint ssldir).
Your master should now have a valid certificate to present. If an agent reaches it through its FQDN, the SSL handshake should succeed.
I installed PE Master on one VM and Agents on two VMs pointing to master . Agent1 VM 64 bit works fine , but agent2 VM 32 bit fails with below error. Only difference is architecture. One more note both the agent nodes were accepted from Dashboard,so master has both the certificates.
Any help will be greatly appreciated.
puppet-enterprise-3.1.0-el-6-i386]# puppet agent --test
Info: Caching certificate for
Info: Caching certificate_revocation_list for ca
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed: [CRL is not yet valid for /CN=hostname
Info: Retrieving plugin
Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using
'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Error: /File[/var/opt/lib/pe-puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=] Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=v]
Thank you
That error message usually indicates that time is not in sync between all of the machines. Running ntpdate or using the ntpd service should bring time into sync and alleviate the problem. Here's an example of another puppet user seeing this problem:
http://www.puppetlogs.com/puppet/%23puppet-2013-02-26.log.html (search for "CRL is not yet valid for /CN=")