Ask Your Question
0

Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed

asked 2018-08-31 03:50:08 -0500

Hi,

I'm trying to setup a monolithic Puppet lab for training purposes and after I've signed the cert and I run a

/opt/puppetlabs/bin/puppet agent --test

I get:

2018-08-31 07:51:29.209269 WARN  puppetlabs.facter - locale environment variables were bad; continuing with LANG=C LC_ALL=C
Info: Caching certificate for puppetnode
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=puppetmaster.home]
Exiting; failed to retrieve certificate and waitforcert is disabled

I'm running Ubuntu 18.04 Server and https://apt.puppetlabs.com/puppet-rel...

This is my configuration:

puppetnode - 192.168.1.200:

/etc/hosts

root@puppetnode:/home/puppetnode# cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
192.168.1.198 puppetmaster puppetmaster puppet
192.168.1.200 puppetnode puppetnode

/etc/puppetlabs/puppet/puppet.conf

# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html

[main]
certname = puppetnode
server = puppetmaster

cat /etc/hostname

puppetnode

puppetmaster - 192.168.1.198:

/etc/hosts

127.0.0.1       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
192.168.1.200 puppetnode puppetnode
192.168.1.198 puppetmaster puppetmaster puppet

/etc/hostname

puppetmaster

I can telnet:

root@puppetnode:/home/puppetnode# telnet puppetmaster 8140
Trying 192.168.1.198...
Connected to puppetmaster.
Escape character is '^]'.

I can ping:

root@puppetnode:/home/puppetnode# ping puppetmaster
PING puppetmaster (192.168.1.198) 56(84) bytes of data.
64 bytes from puppetmaster (192.168.1.198): icmp_seq=1 ttl=64 time=0.364 ms
64 bytes from puppetmaster (192.168.1.198): icmp_seq=2 ttl=64 time=0.156 ms
64 bytes from puppetmaster (192.168.1.198): icmp_seq=3 ttl=64 time=0.138 ms

I did notice that the CA error has puppetmaster.home in the error message. NSLOOKUP results:

root@puppetnode:/home/puppetnode# nslookup puppet
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   puppet
Address: 192.168.1.198

root@puppetnode:/home/puppetnode# nslookup puppetmaster
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   puppetmaster
Address: 192.168.1.198

root@puppetnode:/home/puppetnode# nslookup puppetmaster.home
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find puppetmaster.home: NXDOMAIN

This is the SSL directory on my master:

root@puppetmaster:/home/puppetmaster# puppet config print ssldir
2018-08-31 08:10:10.726268 WARN  puppetlabs.facter - locale ...
(more)
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-08-31 10:49:05 -0500

csharpsteen gravatar image

The puppetmaster.home certificate name is likely the issue. The agent is connecting to a hostname called puppetmaster. Therefore it expects to be presented with a certificate that has puppetmaster as the Common Name (CN) or a DNS alternative name. Instead it gets a certificate for puppetmaster.home:

Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=puppetmaster.home]

With the CN above, the master has a certificate that is valid for the hostname pupppetmaster.home, but not puppetmaster.

The master likely ended up with puppetmaster.home as the default value used for the certname is the FQDN returned by DNS or an /etc/hosts lookup (whatever /etc/nsswitch.conf lists as hostname lookup sources).

DNS alternative names can be assigned to the puppet master using the following setting in puppet.conf:

https://puppet.com/docs/puppet/5.5/co...

Changing the CN or DNS alt names assigned to a node requires destroying and re-issuing the certificate after the configuration is updated. For a master node this can be done via:

  • Stop the puppet and puppetserver services
  • Run: puppet cert clean <old CN>
  • Re-start the services by:
    • For PE: run puppet infrastructure configure
    • For Open Source: start puppetserver and puppet
edit flag offensive delete link more
0

answered 2018-08-31 06:29:18 -0500

I just finished completing a CentOS 7 minimal install and everything worked as intended. Not sure what the issue is with Ubuntu. I even tried removing certs and re-authenticating. No go.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-08-31 03:21:01 -0500

Seen: 98 times

Last updated: Aug 31