Warning: SSL_connect returned=1 errno=0 state=error:

asked 2018-05-16 00:03:42 -0500

SSD gravatar image

Both of my nodes are running NTP.

I have cleaned the cert from both master and agent MANY times. But every time I run puppet agent again, this happens:

root@testpuppet:/opt/puppetlabs/puppet# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster.<first-three-IP-groups>.static.as<etc>.net]

I also don't understand how the agent knows "puppetmaster.<first-three-ip-groups>.static.as<etc>.net" as the address? The address should be "puppetmaster.ourdomain.com" and the other address was originally in the /etc/hosts file on the MASTER but it is commented out now. And how did it get involved anyway?

edit retag flag offensive close merge delete

Comments

1

first thing, are you able to resolve puppetmaster.ourdomain.com from your agent node?

Mr_Sharma gravatar imageMr_Sharma ( 2018-05-18 03:58:44 -0500 )edit

Yes. And the agents exchange certificates with the master and the master signs them. *Then* I get this error.

SSD gravatar imageSSD ( 2018-05-18 04:02:12 -0500 )edit

Okay, I hope your /etc/hosts on agent would have the entry for master: "<master ip=""> puppetmaster.ourdomain.com puppet". Let's try once more to remove the certs from master using cmd, remove the ssl dir from agent node, verify no cert files are available in ssl dir on master....

Mr_Sharma gravatar imageMr_Sharma ( 2018-05-21 00:47:31 -0500 )edit

if any cert file related to your agent node found on master in /etc/puppetlabs/puppet/ssl then you can remove it. Run puppet agent on node. Take backup of files or ssl dir wherever necessary.

Mr_Sharma gravatar imageMr_Sharma ( 2018-05-21 00:48:41 -0500 )edit

What do you mean about "<master ip="">? That does not appear anywhere in the (terrible, disconnected) docs I have read. About the other things please give specifics. You said " remove the certs from master using cmd" and I have never heard of cmd. What are you talking about?

SSD gravatar imageSSD ( 2018-05-21 02:11:15 -0500 )edit