err: file /var/lib/puppet/lib: failed to generate additional resources using `eval_generate: ssl_connect returned=1 errno=0 state=sslv3 read server certificate B: certificate verify failed

asked 2015-11-02 13:11:08 -0500

LMC-25 gravatar image

Using open source version 2.7.26 (master) & open source 2.7.25 (client).

Receiving the following error messages:

err: file /var/lib/puppet/lib: failed to generate additional resources using `evalgenerate: sslconnect returned=1 errno=0 state=sslv3 read server certificate B: certificate verify failed

I have already verified that the master & client time is synced, removed /var/lib/puppet/ssl on the client & cleaned the cert on the master...same results. Some machines work fine while many others are getting this error. Any ideas???

edit retag flag offensive close merge delete

Comments

Is there anything common to the machines with the problem, e.g. OS version, ntp settings, etc.? What about the machines where Puppet works fine? Did this suddenly start happening to a set of machines or has it been a problem since you first used Puppet on them?

GregLarkin gravatar imageGregLarkin ( 2015-11-02 13:44:20 -0500 )edit

All machines involved are Centos 6.5 and have identical settings. Puppet had been working fine and then this just started happening. There are two master servers, but only one serving as the CA authority. All machines pointed to the "backup" fail and now a couple pointed to the primary fail.

LMC-25 gravatar imageLMC-25 ( 2015-11-03 06:47:45 -0500 )edit

Has your master certificate expired (unlikely, but figured I should ask)? Something must have changed somewhere. Do you see any other errors in the logs on the masters? Are the masters behind a load balancer? If so, were they set up with DNS alt names?

GregLarkin gravatar imageGregLarkin ( 2015-11-03 16:34:30 -0500 )edit

We have regenerated the certs thinking that was it...to no avail. There is no load balancer and no obvious change that any of us are aware of.... Additional errors include: Could not retrieve file metadata for puppet://puppet/plugins: SSL_conect returned=1

LMC-25 gravatar imageLMC-25 ( 2015-11-04 09:36:34 -0500 )edit

With 2 independent Puppet masters that are not load-balanced, how have you configured things so that only one is acting as a CA? If an agent node connects to the Puppet master/CA to generate its cert, I'm not sure how it could then switch to use the other master without running into cert probs.

GregLarkin gravatar imageGregLarkin ( 2015-11-04 10:37:50 -0500 )edit