Ask Your Question
0

getting error while signing certs

asked 2017-04-12 12:39:13 -0500

Frank_123_ih gravatar image

Hi there,

I am getting the below error while generating the certificate. Please have a check on the error below.

root@east [/var/lib/puppet]# puppetd --test warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for east.hamardigital.com err: Could not request certificate: unknown message digest algorithm

Exiting; failed to retrieve certificate and waitforcert is disabled

I have updated the openssl on the server, but seems that the error being persistent. I am using centos 6 server. Any help would be greatly appreciated.

edit retag flag offensive close merge delete

Comments

Are the clocks the same between the agent and the master? I had that issue with a new server today, I approved the certificate but the agent wouldnt run because the clock on the new agent was way off. Adjusted the time and it worked fine.

UBPClaw gravatar imageUBPClaw ( 2017-04-13 18:46:36 -0500 )edit

4 Answers

Sort by ยป oldest newest most voted
0

answered 2017-04-13 02:19:30 -0500

greynolds gravatar image

How are you deleting the certs?

Remove all reference from the puppetmaster puppet cert clean server name (your choice) puppet node clean server name (your choice) puppet node purge server name (your choice)

on client Delete the SSL directory

on client puppet agent -t

on master puppet cert sign server name

on client puppet agent -t -> (follow up)

edit flag offensive delete link more

Comments

Removed certs by the steps: On puppetmaster: puppetca --clean hostname.of.agent Remove all related files from /var/lib/puppet On puppet agent: Removed /var/lib/puppet/ssl Still getting the error while create a signing request: err: Could not request certificate: unknown message digest algorithm

Frank_123_ih gravatar imageFrank_123_ih ( 2017-04-19 03:32:46 -0500 )edit

Interesting! After removing the certs and restarting the puppetmaster and you are getting certificate errors from a newer version of OpenSSL versus an older version? I would compare the configuration to see how they are configured. Either the older or newer version does not like the digest

greynolds gravatar imagegreynolds ( 2017-04-21 04:08:39 -0500 )edit
0

answered 2017-04-19 00:24:30 -0500

Frank_123_ih gravatar image

updated 2017-04-20 04:46:37 -0500

Hi ,

I have tried checking the server clock time with reference to the master server clock. Both are same. All the ssl certs were removed from the client server ( note server certs are not reaching at the master server, this is the main issue by the way :-) ... ) , and tried readding it to the master server, but still the same. Could you confirm if there is any other fix. I will wait for your reply.

Just a follow up as the forum wont allow posting multiple answers

Hi fvoges,

We have Centos 6 as our prime architechure. The server agent and the master are configured with centos 6. Since the server is using puppet version 2.6.18 the client server is also configured to use the same . Pasting below are the master and client server configurations.

[root@puppet ~]# openssl OpenSSL> version OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL> quit [root@puppet ~]# puppet -V 2.6.18 [root@puppet ~]# cat /etc/redhat-release

CentOS release 6.8 (Final)

root@east [~]# openssl OpenSSL> version OpenSSL 1.0.1e 11 Feb 2013 OpenSSL> quit root@east [~]# puppet -V 2.6.12 root@east [~]# cat /etc/redhat-release

CentOS release 6.9 (Final)

Please have a check and let us know if there is any fix that you propose.

edit flag offensive delete link more

Comments

plz check my answer for a workaround

CmdKeen gravatar imageCmdKeen ( 2017-04-20 05:05:07 -0500 )edit
0

answered 2017-04-19 05:19:34 -0500

updated 2017-04-20 05:04:06 -0500

It is not the time, it is the algorithm. After updating to CentOS 6.9 I'm unable to generate a puppet cert for the master to sign. I suspect it has something to do with the OpenSSL update and supported hashes. Have not found a solution or an answer.

UPDATE

Downgrading openssl is the only solution I have found so far.

  • wget a previous version from a CentOS mirror (openssl-1.0.1e-48 tested and worked)
  • yum downgrade openssl-1.0.1e-48.el6.x86_64.rpm
  • puppet agent -t (create the CSR)
  • sign on master
  • update openssl to latest version (naturally, for security)
edit flag offensive delete link more
0

answered 2017-04-20 03:08:40 -0500

fvoges gravatar image

It's a problem with openssl. Have you upgraded the openssl libraries on the agent too?

What OS and Puppet and openssl version do you have installed on the master? and on the agent?

edit flag offensive delete link more

Comments

Yes, openssl has been updated to openssl-1.0.1e-57 on CenOS 6.9 on the client

CmdKeen gravatar imageCmdKeen ( 2017-04-20 04:30:28 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-04-12 12:39:13 -0500

Seen: 284 times

Last updated: Apr 20