Ask Your Question
0

move agent to new master: 'unable to get local issuer certificate for cn/...'

asked 2016-01-14 10:17:09 -0500

hesco gravatar image

I have a test node which had pointed at a legacy puppet master.
I used this command to remove its certificates:

find /etc/puppetlabs/puppet/ssl -name *`hostname`* -exec rm {} \;

and then to update the puppet master on the node:

puppet config set --section main server new_puppet_master.example.com

and then ran the agent like so:

puppet agent --test --environment production --waitforcert 20

which gives me these errors:

Info: Creating a new SSL key for migrating_node.example.com
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for migrating_node.example.com
Info: Certificate Request fingerprint (SHA256): D7:F5:1A:4A:68:15:DA:BD:3B:7E:AF:72:AF:41:9B:0E:4A:92:1A:F1:EE:82:46:9E:97:A2:A9:A0:9E:2A:7E:89
Info: Caching certificate for migrating_node.example.com
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]
Info: Retrieving plugin
Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]
Error: /File[/var/opt/lib/pe-puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Could not retrieve file metadata for puppet://new_puppet_master.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/pe_build.rb
etc.;  .  .  .  

Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]

Seems there is some certificate for my master which must be installed on the agent to bootstrap this communication. In fact I remember my bootstrap script used to install the agent on nodes at a previous company included some code to do this, but I do not remember which cert I harvest from where on the master and install to where on the agent. Can someone please advise? Perhaps point me to the documentation of this requirement? I have been unable to find it.

Thanks,

-- Hugh

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2016-01-14 10:37:26 -0500

hesco gravatar image

updated 2016-01-14 11:40:55 -0500

This seems to be part of the answer, perhaps:

# puppet agent --configprint localcacert
/etc/puppetlabs/puppet/ssl/certs/ca.pem

I suspect that is where I need to install on the agent, this missing 'local issuer certificate'.
Still in search of its path on the master to test this theory.

And this seems to be the rest of the answer:

# md5sum `puppet agent --configprint localcacert`
8e0bbc8...blah...blah...blah...  /etc/puppetlabs/puppet/ssl/certs/ca.pem

then on the legacy master, I ran this:

md5sum /etc/puppetlabs/puppet/ssl/ca/*.pem
  .  .  .  
8e0bbc8...blah...blah...blah...  /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
  .  .  .  

and finally:

# puppet config print | grep `pwd`/ca/ca_crt.pem
cacert = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
# puppet config print cacert
/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem

Next to test this theory.

# puppet agent --test --environment production
Error: Cached certificate for ca failed: nested asn1 error
Error: Cached certificate for ca failed: nested asn1 error
Error: Could not request certificate: PEM lib
Exiting; failed to retrieve certificate and waitforcert is disabled

so I remove the certs and have them regenerated again: on the master:

# puppet cert clean migrating_agent.example.com

on the agent:

# find /etc/puppetlabs/puppet/ssl -name *`hostname`* -exec rm {} \;
# rm -f /etc/puppetlabs/puppet/ssl/certs/migrating_agent.example.com.pem
# puppet agent --test --environment production --waitforcert 20

which yields me several warnings and errors about a revocation list:

unable to get certificate CRL for /CN=...

Another query of the configuration on the agent shows:

# md5sum `puppet agent --configprint cacrl`
6b3302a...blah...blah...blah...  /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem

But attempts to verify that against the corresponding file on the legacy master found no match; perhaps because the CRL on the legacy master had been updated since its installation on the migrating_agent node. Just a theory. Do not really know.

At any rate, I proceed to update the CRL on the agent using the output from running "less puppet config print cacrl" on the new master. and now --waitforcert gets me: 'Notice: Did not receive certificate'; and the same result when I move the old ca_crl.pem back into place or when I remove that file altogether. Stumped as to what I should try next.

THOUGHT I WAS ON TO A SOLUTION; BUT THINGS ARE STILL BROKEN HERE.

edit flag offensive delete link more
0

answered 2016-01-19 03:34:36 -0500

André gravatar image

I had the same issue.

Did you run this on the puppet master?

puppet cert sign "agent.example.com"

I had the same issue as you, after I had signed the cert on the master I also got:

unable to get certificate CRL for /CN=...

When I got that I renamed my crl.pem file.

mv /var/lib/puppet/ssl/crl.pem /var/lib/puppet/ssl/crl.pem.old

The above path is different then yours and the filename is different, but I suggest you try and rename your CRL file.

After that I ran puppet on the agent without --waitforcert:

puppet agent -t --environment env

And it completed without error.

Best of luck.

-- André

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-01-14 10:17:09 -0500

Seen: 5,309 times

Last updated: Jan 14 '16