About | FAQ | Help
Ask Your Question
0

Agent can't initiate manual check to master

asked 2017-12-16 21:05:04 -0500

koshie gravatar image

Hello,

First things first:

Master:

  • OS: CentOS 7
  • Puppet version: 5.3.3
  • Hostname: sardine

Agent:

  • OS: CentOS 7
  • Puppet version: 5.3.3
  • Hostname: raisin

I'm trying to setup my own puppet master/agent architecture for training purpose, and I'm having troubles.

My master and my agent aren't on the same network, I simply edited /etc/hosts and both can ping each other with proper name (agent can ping puppetmaster and master can ping puppetclient).

I was able to sign the certificat of the agent on the node and I see it when I'm doing a "puppet cert list -all":

+ "raisin.mydomain.com" (SHA256) XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

But the problem start here: this is the ouput of the command "puppet agent --test" on the agent:

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=sardine.local]

I think the problem is about the CN value, it should not be sardine.local, but sardine.mydomain.com.

I configured the "server" variable into puppet.conf on the agent to the proper domain name:

server = sardine.mydomain.com
certname = raisin.mydomain.com

but I still get this CN (sardine.local) in this ouput. I wanted to be sure I wasn't forgeting to edit a value which was probably "sardine.local" somewhere, so I tried to grep it but I wasn't able to found it in ... (more)

edit retag flag offensive close merge delete

Comments

Have you re-created the certificates? They're at /var/lib/puppet/ssl/.

Kai Burghardt gravatar imageKai Burghardt ( 2017-12-17 16:53:47 -0500 )edit

Hi Kai, Yes, everytime I try I remove the certificate on the agent and I revoke + clean the certificate on the master. Thanks for your help, koshie

koshie gravatar imagekoshie ( 2017-12-18 08:01:40 -0500 )edit

No, on your master, too.

Kai Burghardt gravatar imageKai Burghardt ( 2017-12-19 07:30:55 -0500 )edit

Hi, thanks but it doesn't worked for me. I revoked and cleaned the certificate on master, then I removed the content of /etc/puppetlabs/puppet/ssl/ and finally ask for a new certificate, but the error is the same as above. Still looking for "sardine.local" even if it doesn't exist anywhere.

koshie gravatar imagekoshie ( 2017-12-19 07:50:38 -0500 )edit

Hi Koshie, Have you tried to grep "local" (just local) to see if it appears in some files under /etc? I will suggest that you do so on both the master and the client/agent.

stivesso gravatar imagestivesso ( 2017-12-19 09:56:52 -0500 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2017-12-21 07:47:14 -0500

koshie gravatar image

I tried what stivesso asked, but on both master & client I have nothing related to puppet with this command: grep -rin ".local" /etc/

Kai I runned your command, this is the output from the agent:

CONNECTED(00000003)
depth=0 CN = sardine.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = sardine.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=sardine.local
   i:/CN=Puppet CA: sardine.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFjzCCA3egAwIBAgIBAjANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhQdXBw
ZXQgQ0E6IHNhcmRpbmUubG9jYWwwHhcNMTcxMjEwMTkzNjA4WhcNMjIxMjEwMTkz
NjA4WjAYMRYwFAYDVQQDDA1zYXJkaW5lLmxvY2FsMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAlE9gBEg6og16j/Xwz/bEdBGc7QM8SOHZgqxgXyCuv938
i2kS4A3c7iFxCb3gOztg+mQ2XPu7PQwLpDDMlB/Ggfw3vqIbe+xCfjtavDPX1VmD
RVrge0BcWRJkzL6TS5y9Am0aH6zqySiMjO8QYGO88SXALIP4kIXB98eP7SEkFQGm
ARiGFT44kG3vcO7WDfT4ivqeVDxblTfrLqZO6Q74tOoyDN+vbPtD4x5GKWpBiY5G
wys5mqcdYZ5jUsiA8SbozE/lcmPGh/5gdvp6Z03P7uqwaPWgEXHVi7XEDwm7SqB7
VHzXQKbOxIBP8c4L8WyEyzI8335n80izrVFoSYUMoNrfC23JvUSxU7wyy5QalP7y
Z0bUy7UHyOxgJGYUBLtrBn8sUSivX4pbyzz69AmCKuCOntFXshghjsxDGT75vBHz
hR+u9Uf9B4JbA8eq1OcFLbbZeUWmD7HQw4W+qs32FabHBd3HSSqwE5dGoqFD3F40
AV+3cVmx8OtaJYvwKtaJd6+r6qXCRmF3uPQZqdCgzxJhjwHDI95aC1S4e531gxB8
2q3RXdJNjBuOFUZXQPCGl9PDh4ldYSUYt8TCT/v+NhyX/UsKq1506NikrMqN/khD
bDfRy+c1NXUNVPTQvtrUKcTxGPiqa+DH6luEQSN1FH3e2fKzsKSWE6JSmYtnsLsC
AwEAAaOB2DCB1TAxBglghkgBhvhCAQ0EJBYiUHVwcGV0IFNlcnZlciBJbnRlcm5h
bCBDZXJ0aWZpY2F0ZTAfBgNVHSMEGDAWgBS/SqCWORKx05Tg35W4XRPQvFiwfjAd
BgNVHQ4EFgQU/BF33as1BeoFoDWGbWYwsG61WkUwIAYDVR0RBBkwF4IGcHVwcGV0
gg1zYXJkaW5lLmxvY2FsMAwGA1UdEwEB/wQCMAAwIAYDVR0lAQH/BBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQsFAAOC
AgEAc0JlaNOp3pdvpSzu2jhVztgY3ciiCi0kEZeuSI9r8mk5zCwvCvUz3B4co0fv
Z0iXmkU/XqGHXkbKDsWBTQ4Asq6n1Zt3aoi7oVTETIo+eOlcS1KIUA6+npjmddIM
Lp6/wRVNJGqp/K2wqYcJ24a/QhkZ+plKWEgPyErt0YNIsv9+a++XReCPYGp/eWs0
9Zt0RBysb/ewVw9q6bdKI3Rc3zTm8yQcM6riKgXC8xcWvbMzP6iojJyhg+rH7A4O
FR3nhry2Kq3DWa0lBabJk3oVAYIQQLHgDSl+UQB5R7z4v9PU+W7vcXYgsAOnye2M
s6Kdal4BcsDyRuQyxbPu5NbgejlWGgqQhDlEvkuFozHJYkDxpKAZEIRuIP1FTimo
zTS7kF+4EF9EUBPJXq1lN9XZTlLt9aPS17u4diRIMl4cHJyvIE03wswQ3NoA781L
BOk3toqb7uRwE7ZKLyTZadZpFXc5Jh/ruOpprhLtejJwoBbiszOuMm4pvX3yd9um
tyKq0DxkYmfHR+PTOmZ7PQjx801PSn4B53xNqk0i4FLJjzIAI45aYhTm3ImvPpAi
bflXTV5nuy5u0AnagEe65gvAmFiq3up3DSLg0RMc2PaJGQma2BLFVMy/1mvFmCIe
X1LVT10tUrcetW6fa7whN4TMCKCdabW0kGpJb2eaLiZ97gA=
-----END CERTIFICATE-----
subject=/CN=sardine.local
issuer=/CN=Puppet CA: sardine.local
---
Acceptable client certificate CA names
/CN=Puppet CA: sardine.local
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2268 bytes and written 451 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 5A3BB281768DCFE1114FDDD8054BECCD8AAF8796C0495F1AFDDFA981397B20E7
    Session-ID-ctx: 
    Master-Key: BE1F0F0AE1133ADF7CA90F7B6C0022195D4FEA6A52DAF5556BCAF500D4CB59F4A9AEEBDA652AE1DBEA345537A2B9B04A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1513861762
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

And now the output from the master:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Puppet CA: sardine.local
        Validity
            Not Before: Dec 18 13:43:10 2017 GMT
            Not After : Dec 18 13:43:10 2022 GMT
        Subject: CN=Puppet CA: sardine.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bc:3a:86:39:91:e0:0a:28:d6:94:8f:ad:02:e3:
                    8e:48:38:81:f9:67:cc:73:d9:b0:ad:dc:d8:6f:d9:
                    0c:85:1f:56:23:65:56:a5:32:62:84:69:f1:33:31:
                    e9:97:34:49:a3:b8:1b:4a:40:db:27:47:16:cb:c4:
                    2c:cd:7b:60:bd:97:0f:64:dc:aa:71:c7:57:7f:02:
                    ef:55:54:0c:a9:29:13:1e:b0:2c:96:7f:7a:5c:1b:
                    ef:68:0c:41:f2:aa:4c:8e:e9:01:60:88:f7 ...
(more)
edit flag offensive delete link more

Comments

Hi Koshi, Can you check with the find command, e.g: find /etc -type f -exec grep -l -i local {} \;

stivesso gravatar imagestivesso ( 2017-12-21 08:33:47 -0500 )edit

On master I have this: "0x0001 2017-12-18T13:43:10UTC 2022-12-18T13:43:10UTC /CN=Puppet CA: sardine.local" in the file: "/etc/puppetlabs/puppet/ssl/ca/inventory.txt" and on agent there is nothing in the output.

koshie gravatar imagekoshie ( 2017-12-21 08:39:45 -0500 )edit

Yeah, you wrote “[…] the CN value, it should not be sardine.local, but sardine.mydomain.com.”. You have to re-create the certificate. Otherwise you can't lose the .local part.

Kai Burghardt gravatar imageKai Burghardt ( 2017-12-21 17:59:16 -0500 )edit
0

answered 2017-12-21 08:51:05 -0500

DarylW gravatar image

updated 2017-12-21 09:17:46 -0500

I was initially unclear what exactly your problem was, but it looks like your problem is that when you generate the server cert for your puppet master, it has the .local (I wasn't sure if it was client, server, or both).

Either way, on the master, you can try doing something like the following prior to running puppet for the first time (or after clearing away your ssl directory and stopping puppet)

# on puppet server
puppet config set --section master certname sardine.mydomain.com
puppet config set --section master dns_alt_names puppet,sardine.local

I know we've previously used that to ensure that our hostname was set appropriately in our bootstrapping scripts... That should actually allow either the real DNS name or the .local DNS name to work with the certificate for TLS.

You may need to do something similar on your client node, unless your prior information has the certname set correctly for your agent.

Hope that helps!

edit flag offensive delete link more

Comments

Hi, thanks but it doesn't seems to work. First I add to modify the second command, it says it can only take 2 arguments, not 3 (I removed the word puppet and let sardine.local). Same error as before.

koshie gravatar imagekoshie ( 2017-12-21 09:13:13 -0500 )edit

Oh, I think that needs to be a comma separated list... if puppet,sardine.local works, I'll update my comment to reflct that for future folks... Can you reproduce this in a pair of docker containers? If so, I can try to replicate it at home

DarylW gravatar imageDarylW ( 2017-12-21 09:17:17 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-16 21:05:04 -0500

Seen: 236 times

Last updated: Dec 21 '17