How do I make Puppet serve the proper certificate? - puppet

I'm trying to connect my puppetmaster and my puppet client. I've been having trouble with the certificates. I was originally trying to use the puppetmaster's IP address (because we don't have DNS set up), but now I think I'll have to edit the hosts file when I set up a new machine to map puppet to its ip.
So once I do that, I'm still having issues. Some background: on the master, I had tried to get rid of the server certificate a few times and recreate a new one. I think that's causing the problem because the log is saying it was revoked. devtest is the puppet agent.
This is what happens when I try to test the agent.
[root#devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
If I'm understanding the first error properly, it's saying the certificate presented by the master server for servername.mydomain.com has been revoked. (I've edited the log to remove the actual server name and domain).
So I want to have puppetmaster serve up a new certificate. I go onto it, and stop the Apache service (so it doesn't hold the certificate in memory).
I then delete the ssl folder, and try to regenerate the puppet certificate:
[ZachDev#mon puppet]$ sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 17:F7:19:23:E6:99:BD:DD:3D:E6:F1:DD:35:8A:A6:81:8D:96:7D:15:63:EC:51:21:65:96:D1:24:FA:97:1B:07
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for 10.128.119.155
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for 10.128.119.155
Info: Certificate Request fingerprint (SHA256): BE:C8:B9:FF:1F:7A:49:1F:4F:97:E4:37:A3:9E:12:19:6F:41:3B:DB:DE:CB:AA:03:D8:02:94:D1:68:49:13:9C
Notice: 10.128.119.155 has a waiting certificate request
Notice: Signed certificate request for 10.128.119.155
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/ca/requests/10.128.119.155.pem'
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/certificate_requests/10.128.119.155.pem'
Notice: Starting Puppet master version 3.6.2
^CNotice: Caught INT; calling stop
That worked. Now I restart Apache, and get an error. systemctl status httpd.service doesn't say anything useful, but /var/log/httpd/puppet-server-example.com_ssl_error.log does:
[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
At this point, I'm just guessing at what the config file settings should be. I assume some config files need to be changed -- either the Apache config or the Puppet config, but at this point I'm not sure what the right certificates are. I have certificates in /var/lib/puppet/ssl and in /etc/puppet/ssl.


There are multiple issues with your setup. You are indeed right that you need to
pick an FQDN for the master and make sure the agents can resolve it
via respective hosts file or
through dnsmasq
tell the master to use that name as its SSL CN
First, make sure the master uses the correct name. Add this to /etc/puppet/puppet.conf on the master:
[master]
certname=server.mydomain.com
Restart the master. It should sign a new certificate for itself (note how it considered 10.128.119.155 to be its name and used that as the CN - this is not sensible).
Next, make sure Apache uses this certificate instead of the CA certificate.
SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem
(You can make sure /var/lib/puppet/ssl is the correct path using puppet master --configprint ssldir).
Your master should now have a valid certificate to present. If an agent reaches it through its FQDN, the SSL handshake should succeed.

Related

openLDAP Proxy fails with ldaps

This issue is driving me a bit insane.
I am trying to configure an openLDAP Proxy to an Active Directory, which works fine as long as I use unencrypted ldap to the AD. But I would like to secure the connection between the proxy and the AD via LDAPs.
What drives me crazy is that this worked before until I enabled LDAPs for the proxy itself. Now I can't get it running, even if I undo my changes.
This is how the slapd.conf looks like:
# Include schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/local.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap
moduleload rwm
loglevel 256
#LDAPS Settings
TLSCipherSuite HIGH:MEDIUM:-SSLv3
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
TLSCACertificateFile /etc/openldap/cacerts/CAs.pem
### Database definition (Proxy to AD) #########################################
database ldap
readonly no
protocol-version 3
rebind-as-user
uri "ldaps://ad-server.internal.de:636"
suffix "dc=ad,dc=internal,dc=de"
Now when I search I get the below error (ldaps or ldap).
Both queries work just fine when I change the uri to "ldap://ad-server.internal.de:389"
ldapsearch -h localhost:389 -D "CN=admin,OU=User,DC=ad,DC=internal,DC=de" -W -b DC=ad,DC=internal,DC=de '(objectclass=person)'
ldapsearch -H ldaps://localhost:636 -D "CN=admin,OU=User,DC=ad,DC=internal,DC=de" -W -b DC=ad,DC=internal,DC=de '(objectclass=person)'
=>
ldap_bind: Server is unavailable (52)
additional info: Proxy operation retry failed
This is not a certificate error, as the direct ldapsearch from the same host works just fine:
ldapsearch -H ldaps://ad-server.internal.de:636 -D "CN=admin,OU=User,DC=ad,DC=internal,DC=de" -W -b DC=ad,DC=internal,DC=de '(objectclass=person)'
This is what the log looks like:
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 fd=12 ACCEPT from IP=127.0.0.1:47458 (IP=0.0.0.0:389)
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=0 BIND dn="cn=admin,ou=User,dc=ad,dc=internal,dc=de" method=128
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=0 ldap_back_retry: retrying URI="ldaps://ad-server.internal.de:636" DN=""
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=1 UNBIND
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 fd=12 closed
Any idea why this happens would be greatly appreciated.
Edit:
I did some more digging and it actually seems to be a certificate problem. The tcpdump for the connection returns this error:
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)
The AD certificate is self signed and unfortunately I have no saying in that, so I cannot change that.
In the standard config I get the same error when running ldapsearch. I can get ldapsearch running with two methods:
Set TLS_REQCERT never in ldap.conf
Set environment variable LDAPTLS_REQCERT=never
I know this is not ideal but this is not supposed to be the final configuration, I just want to get it running first.
However slapd seems to ignore both, because I still get the same error in the tcpdump and slapd debugging still gives me the following:
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=ad-server.internal.de, issuer: /CN=ad-server.internal.de
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
I tried to add the self-signed certificate to the ldap.conf and to the trusted anchors for openssl, but both didn't work. I also noticed that I cannot get openssl to verify the self-signed certificate, while I can do the same on my PC...
My PC:
$ openssl version
OpenSSL 1.1.1h 22 Sep 2020
$ openssl verify server.crt
error server.crt: verification failed
CN = ad-server.internal.de
error 18 at 0 depth lookup: self signed certificate
$ openssl verify -CAfile server.crt server.crt
server.crt: OK
While on the server (REHL 7.9):
$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
$ openssl verify server.crt
server.crt: CN = ad-server.internal.de
error 20 at 0 depth lookup: unable to get local issuer certificate
$ openssl verify -CAfile server.crt server.crt
server.crt: CN = ad-server.internal.de
error 20 at 0 depth lookup: unable to get local issuer certificate
The result on my PC is the expected behaviour for self-signed certificates, as far as I know. I already checked, but it is the latest version available on RHEL 7.9
So does anyone have any idea how I can
get SLAPD to honor the TLS_REQCERT or LDAPTLS_REQCERT settings OR
openssl to verify the self-signed certificate
Thank you!

I finally found a possibility to ignore the certificate validation error. Which is not the optimal solution, but due to the self-signed certificate and the openssl issue in the RHEL7.9 version, I am for now content to have it running at all. The final solution should then be to make the AD department get a certificate from our CA, though I don't know if I can convince them to do so.
So while the LDAP proxy seems to ignore the TLS_REQCERT none setting in the ldap.conf, there is a possibility to do this directly in slapd.conf:
### Database definition (Proxy to AD) #########################################
database ldap
readonly no
protocol-version 3
rebind-as-user
uri "ldaps://ad-server.internal.de:636"
suffix "dc=ad,dc=internal,dc=de"
tls start tls_reqcert=never
The last line eliminates the verification error.

Puppetserver Unspecified Certificate Verification Error

The following command throws an error:
puppetserver ca list
Fatal error when running action 'list'
Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_statuses/any_key
Root cause: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)

I have edited my /etc/hosts file and added
10.0.0.4 puppetmaster.example.com
I have also edited my /etc/puppetlabs/puppet/puppet.conf file as:
...
[main]
certname = puppetmaster.example.com
server = puppetmaster.example.com
[master]
dns_alt_names = puppetmaster.example.com
...
Actually, by default, the server name is 'puppet' and in dns_alt_names I had not mentioned puppet. That is why
puppetserver ca command failed.

puppet SSL_connect returned=1 errno=0 state=error: certificate verify failed

my puppet agent can't can't connect to the server which is running on the same machine. I am attempting to setup a puppet client server on raspbian linux using puppet version 5.5.0
First I tried deleting and regenerating all of the certs using using this guide https://puppet.com/docs/puppet/5.3/ssl_regenerate_certificates.html After interpreting that guide several different ways I get the same error. So I tried setting up the client and server on different machines and there was no change.
I tried adding --waitforcert=60 so that the client would obtain the signed cert.
I tried uninstalling the client and server and deleting any files associated with puppet and reinstalling everything
Here is the error message I receive when running puppet agent -t :
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Info: Retrieving pluginfacts
Error: /File[/var/cache/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Error: /File[/var/cache/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Info: Retrieving plugin
Error: /File[/var/cache/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Error: /File[/var/cache/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=raspberrypi]

Opensource Puppet Master Setup Issue causing unable to get local issuer certificate for /CN=puppet

I have to give up using PE to set up my puppet master :( and I have been throw in the cold cruel Opensource Puppet world.
I have been trying to set up a opensource puppet master on a RHEL7 system. I am planning to do this a couple of times so wrote a very simple shell script. Here's the script:
#!/bin/sh
pc_rpm_name='puppetlabs-release-pc1'
pc_yum_repo_url="https://yum.puppetlabs.com/${pc_rpm_name}-el-7.noarch.rpm"
# set up puppet collection yum repo
rpm -Uvh $pc_yum_repo_url
yum -y install puppetserver
systemctl start puppetserver
/opt/puppetlabs/bin/puppet module install puppetlabs-puppetdb --version 5.1.2
I have a puppet master puppet class I wrote it is very simple:
class my_puppetmaster {
class { 'puppetdb': listen_address => %{::fqdn} }"
include puppetdb::master::config
}
I want to use hiera for my node classification so I have done this:
# pwd
/etc/puppetlabs/code/environments/production/manifests
# cat site.pp
hiera_include('classes')
I have also created this file:
# pwd
/etc/puppetlabs/code/environments/production/hieradata/nodes
# cat puppet_master.yaml
classes:
- my_puppetmaster
And here is my hiera.yaml file:
# pwd
/etc/puppetlabs/puppet
# head hiera.yaml
---
:backends:
- yaml
:hierarchy:
- "nodes/%{::trusted.certname}"
- "nodes/%{::role}"
...
I haven't gotten around to set up a custom fact yet. I figure I could testing out at the point by rebooting the system to give everything a good shake out and then running puppet agent -t and see what happens. When I run puppet agent -t on the puppet master I get this output:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
I guess I left something out of my set up script. So ... what did I miss?
Thanks
Red

I forgot to update my puppet.conf. I had "server = puppet" I need to change that to "server = fqdn of my puppet master"

puppet-enterprise-3.1.0-el-6-i386 client/agent test fails

I installed PE Master on one VM and Agents on two VMs pointing to master . Agent1 VM 64 bit works fine , but agent2 VM 32 bit fails with below error. Only difference is architecture. One more note both the agent nodes were accepted from Dashboard,so master has both the certificates.
Any help will be greatly appreciated.
puppet-enterprise-3.1.0-el-6-i386]# puppet agent --test
Info: Caching certificate for
Info: Caching certificate_revocation_list for ca
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed: [CRL is not yet valid for /CN=hostname
Info: Retrieving plugin
Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using
'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Error: /File[/var/opt/lib/pe-puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=] Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=v]
Thank you

That error message usually indicates that time is not in sync between all of the machines. Running ntpdate or using the ntpd service should bring time into sync and alleviate the problem. Here's an example of another puppet user seeing this problem:
http://www.puppetlogs.com/puppet/%23puppet-2013-02-26.log.html (search for "CRL is not yet valid for /CN=")

Resources