mcollective certificates are unable to get their certificate CRL (with use of an external CA)

asked 2017-11-30 08:14:00 -0600

Hi,

First some background info... Me and some colleagues at work are trying out Puppet Enterprise 2017.3 (free edition for 10 nodes) because we are interested in getting Puppet as our new linux desired state configtool. We already have an internal intermediate CA from Microsoft in place which we want to use instead of the build-in CA of Puppet for security reasons/policies..

Followed documentation: (which we ran over 6 times already, always from a clean install on RedHat Enterprise Linux 7.3) https://puppet.com/docs/pe/2017.3/sslandcertificates/usinganexternalcertificateauthoritywithpe.html

For testing purposes we just used one 1 certificate(that comes from our internal intermediate CA) that we tried to implement for all PE-services.. (=puppet01.domainname.com)

External CA Generated File Location on Host Name of File CA's certificate /etc/puppetlabs/puppet/ssl/certs ca.pem = here we use a .pem file that contains the root CA+intermediate CA CA's CRL /etc/puppetlabs/puppet/ssl crl.pem = here we use the CRL of the intermediate CA CA's CRL /etc/puppetlabs/puppet/ssl/ca cacrl.pem = here we use the CRL of the intermediate CA again Host's Cert /etc/puppetlabs/puppet/ssl/certs <puppet master="" fqdn="">.pem = here we used puppet01.domainname.com Host's Public Key etc/puppetlabs/puppet/ssl/publickeys <puppet master="" fqdn="">.pem =here we used puppet01.domainname.com Host's Private Key etc/puppetlabs/puppet/ssl/private_keys <puppet master="" fqdn="">.pem = here we used the private key of puppet01.domainname.com

When we run "puppet agent -t" on the end, we get the following error:

[root@puppet01 ssl]# puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSLconnect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown Info: Retrieving pluginfacts Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'evalgenerate': SSLconnect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSLconnect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown Info: Retrieving plugin Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'evalgenerate': SSLconnect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSLconnect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown Info: Loading facts Error: Could not retrieve catalog from remote server: SSLconnect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate unknown

And when we run a "puppet cert list --all"

[root ...

(more)
edit retag flag offensive close merge delete