Ask Your Question
0

ssl certificate signature failure

asked 2013-12-05 17:19:04 -0500

samra40390 gravatar image

updated 2013-12-05 18:56:04 -0500

Stefan gravatar image

Running into certificate verify failed / certificate signature failure in my environment, using open source master version (3.3.2) agent version (2.7.23)

Step 1: on my master (525880-GIPRD-BASTION1), I can list the certificate for the agent as follows :

[root@525880-GIPRD-BASTION1 srajago]# puppet cert list --all                    
+ "525879-nmprd-bastion1.xyz.int" (SHA256) CF:C5:FD:CA:E1:D2:BA:90:11:FA:0B:A0:BF:88:FD:97:CF:24:CB:87:E8:8B:69:A8:EA:6E:14:72:16:CF:39:83
+ "525880-giprd-bastion1.xyz.int" (SHA256) 17:1D:0C:76:0E:72:04:0F:C5:A3:24:A6:BB ...
(more)
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2013-12-05 19:15:12 -0500

Stefan gravatar image

updated 2013-12-13 11:01:03 -0500

The + sign in front of the hostname in the puppet cert output indicates, that there already is a signed certificate for that host, so that's why signing a certificate does not work.

But not only does your node needs to have a certificate, the node also has to be able to validate the master certificate. For this to work check the following output on your master

# This should return the real of your master
puppet master --configprint certname

# This may be empty or can be a list of name under your agents may contact the
# the server
puppet master ...
(more)
edit flag offensive delete link more
0

answered 2013-12-13 02:38:24 -0500

samra40390 gravatar image

updated 2013-12-13 13:46:48 -0500

Definitely

agent --configprint server

was a help. But in puppet.conf, I had ssldir=$vardir/ssl. Once I restored the original setting ($confdir/ssl), the signature error was gone. I am not sure what is the value of $confdir ? But restoring the orginal content, did help. thank you Stefan

Update I see one another thing I did not do, which is not removing both /etc/puppet/ssl and /var/lib/puppet/ssl. I had removed the ssl/ at /var/lib/puppet but not the other. Both seem to be identical copies, based on contents. Your update also clarified $conf dir ... (more)

edit flag offensive delete link more

Comments

maybe my update helps to answer your recent questions

Stefan gravatar imageStefan ( 2013-12-13 11:01:22 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-12-05 17:19:04 -0500

Seen: 98,480 times

Last updated: Dec 13 '13