The following command throws an error:
puppetserver ca list
Fatal error when running action 'list'
Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_statuses/any_key
Root cause: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)
I have edited my /etc/hosts file and added
10.0.0.4 puppetmaster.example.com
I have also edited my /etc/puppetlabs/puppet/puppet.conf file as:
...
[main]
certname = puppetmaster.example.com
server = puppetmaster.example.com
[master]
dns_alt_names = puppetmaster.example.com
...
Actually, by default, the server name is 'puppet' and in dns_alt_names I had not mentioned puppet. That is why
puppetserver ca command failed.
Related
my puppet agent can't can't connect to the server which is running on the same machine. I am attempting to setup a puppet client server on raspbian linux using puppet version 5.5.0
First I tried deleting and regenerating all of the certs using using this guide https://puppet.com/docs/puppet/5.3/ssl_regenerate_certificates.html After interpreting that guide several different ways I get the same error. So I tried setting up the client and server on different machines and there was no change.
I tried adding --waitforcert=60 so that the client would obtain the signed cert.
I tried uninstalling the client and server and deleting any files associated with puppet and reinstalling everything
Here is the error message I receive when running puppet agent -t :
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Info: Retrieving pluginfacts
Error: /File[/var/cache/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Error: /File[/var/cache/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Info: Retrieving plugin
Error: /File[/var/cache/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Error: /File[/var/cache/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
There are two puppet masters. pupmasterone.localdomain and pupmastertwo.localdomain. pupmastertwo is fetching configuration from pupmasterone and sending its reports to pupmasterone. (This is normal behaviour)
If we change the report_server in pupmastertwo to report to itself, its throwing error.
puppet.conf (pupmastertwo)
[main]
report_server=pupmastertwo.localdomain
[agent]
server=pupmasterone.localdomain
Error:
Error: Could not send report: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown
How to get this working?
I have to give up using PE to set up my puppet master :( and I have been throw in the cold cruel Opensource Puppet world.
I have been trying to set up a opensource puppet master on a RHEL7 system. I am planning to do this a couple of times so wrote a very simple shell script. Here's the script:
#!/bin/sh
pc_rpm_name='puppetlabs-release-pc1'
pc_yum_repo_url="https://yum.puppetlabs.com/${pc_rpm_name}-el-7.noarch.rpm"
# set up puppet collection yum repo
rpm -Uvh $pc_yum_repo_url
yum -y install puppetserver
systemctl start puppetserver
/opt/puppetlabs/bin/puppet module install puppetlabs-puppetdb --version 5.1.2
I have a puppet master puppet class I wrote it is very simple:
class my_puppetmaster {
class { 'puppetdb': listen_address => %{::fqdn} }"
include puppetdb::master::config
}
I want to use hiera for my node classification so I have done this:
# pwd
/etc/puppetlabs/code/environments/production/manifests
# cat site.pp
hiera_include('classes')
I have also created this file:
# pwd
/etc/puppetlabs/code/environments/production/hieradata/nodes
# cat puppet_master.yaml
classes:
- my_puppetmaster
And here is my hiera.yaml file:
# pwd
/etc/puppetlabs/puppet
# head hiera.yaml
---
:backends:
- yaml
:hierarchy:
- "nodes/%{::trusted.certname}"
- "nodes/%{::role}"
...
I haven't gotten around to set up a custom fact yet. I figure I could testing out at the point by rebooting the system to give everything a good shake out and then running puppet agent -t and see what happens. When I run puppet agent -t on the puppet master I get this output:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
I guess I left something out of my set up script. So ... what did I miss?
Thanks
Red
I forgot to update my puppet.conf. I had "server = puppet" I need to change that to "server = fqdn of my puppet master"
I'm trying to connect my puppetmaster and my puppet client. I've been having trouble with the certificates. I was originally trying to use the puppetmaster's IP address (because we don't have DNS set up), but now I think I'll have to edit the hosts file when I set up a new machine to map puppet to its ip.
So once I do that, I'm still having issues. Some background: on the master, I had tried to get rid of the server certificate a few times and recreate a new one. I think that's causing the problem because the log is saying it was revoked. devtest is the puppet agent.
This is what happens when I try to test the agent.
[root#devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
If I'm understanding the first error properly, it's saying the certificate presented by the master server for servername.mydomain.com has been revoked. (I've edited the log to remove the actual server name and domain).
So I want to have puppetmaster serve up a new certificate. I go onto it, and stop the Apache service (so it doesn't hold the certificate in memory).
I then delete the ssl folder, and try to regenerate the puppet certificate:
[ZachDev#mon puppet]$ sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 17:F7:19:23:E6:99:BD:DD:3D:E6:F1:DD:35:8A:A6:81:8D:96:7D:15:63:EC:51:21:65:96:D1:24:FA:97:1B:07
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for 10.128.119.155
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for 10.128.119.155
Info: Certificate Request fingerprint (SHA256): BE:C8:B9:FF:1F:7A:49:1F:4F:97:E4:37:A3:9E:12:19:6F:41:3B:DB:DE:CB:AA:03:D8:02:94:D1:68:49:13:9C
Notice: 10.128.119.155 has a waiting certificate request
Notice: Signed certificate request for 10.128.119.155
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/ca/requests/10.128.119.155.pem'
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/certificate_requests/10.128.119.155.pem'
Notice: Starting Puppet master version 3.6.2
^CNotice: Caught INT; calling stop
That worked. Now I restart Apache, and get an error. systemctl status httpd.service doesn't say anything useful, but /var/log/httpd/puppet-server-example.com_ssl_error.log does:
[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
At this point, I'm just guessing at what the config file settings should be. I assume some config files need to be changed -- either the Apache config or the Puppet config, but at this point I'm not sure what the right certificates are. I have certificates in /var/lib/puppet/ssl and in /etc/puppet/ssl.
There are multiple issues with your setup. You are indeed right that you need to
pick an FQDN for the master and make sure the agents can resolve it
via respective hosts file or
through dnsmasq
tell the master to use that name as its SSL CN
First, make sure the master uses the correct name. Add this to /etc/puppet/puppet.conf on the master:
[master]
certname=server.mydomain.com
Restart the master. It should sign a new certificate for itself (note how it considered 10.128.119.155 to be its name and used that as the CN - this is not sensible).
Next, make sure Apache uses this certificate instead of the CA certificate.
SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem
(You can make sure /var/lib/puppet/ssl is the correct path using puppet master --configprint ssldir).
Your master should now have a valid certificate to present. If an agent reaches it through its FQDN, the SSL handshake should succeed.
I installed PE Master on one VM and Agents on two VMs pointing to master . Agent1 VM 64 bit works fine , but agent2 VM 32 bit fails with below error. Only difference is architecture. One more note both the agent nodes were accepted from Dashboard,so master has both the certificates.
Any help will be greatly appreciated.
puppet-enterprise-3.1.0-el-6-i386]# puppet agent --test
Info: Caching certificate for
Info: Caching certificate_revocation_list for ca
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed: [CRL is not yet valid for /CN=hostname
Info: Retrieving plugin
Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using
'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Error: /File[/var/opt/lib/pe-puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=] Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=v]
Thank you
That error message usually indicates that time is not in sync between all of the machines. Running ntpdate or using the ntpd service should bring time into sync and alleviate the problem. Here's an example of another puppet user seeing this problem:
http://www.puppetlogs.com/puppet/%23puppet-2013-02-26.log.html (search for "CRL is not yet valid for /CN=")