Ask Your Question

ssl certificate signature failure

asked 2013-12-05 17:19:04 -0600

samra40390 gravatar image

updated 2013-12-05 18:56:04 -0600

Stefan gravatar image

Running into certificate verify failed / certificate signature failure in my environment, using open source master version (3.3.2) agent version (2.7.23)

Step 1: on my master (525880-GIPRD-BASTION1), I can list the certificate for the agent as follows :

[root@525880-GIPRD-BASTION1 srajago]# puppet cert list --all                    
+ "" (SHA256) CF:C5:FD:CA:E1:D2:BA:90:11:FA:0B:A0:BF:88:FD:97:CF:24:CB:87:E8:8B:69:A8:EA:6E:14:72:16:CF:39:83
+ "" (SHA256) 17:1D:0C:76:0E:72:04:0F:C5:A3:24:A6:BB ...
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-12-05 19:15:12 -0600

Stefan gravatar image

updated 2013-12-13 11:01:03 -0600

The + sign in front of the hostname in the puppet cert output indicates, that there already is a signed certificate for that host, so that's why signing a certificate does not work.

But not only does your node needs to have a certificate, the node also has to be able to validate the master certificate. For this to work check the following output on your master

# This should return the real of your master
puppet master --configprint certname

# This may be empty or can be a list of name under your agents may contact the
# the server
puppet master ...
edit flag offensive delete link more

answered 2013-12-13 02:38:24 -0600

samra40390 gravatar image

updated 2013-12-13 13:46:48 -0600


agent --configprint server

was a help. But in puppet.conf, I had ssldir=$vardir/ssl. Once I restored the original setting ($confdir/ssl), the signature error was gone. I am not sure what is the value of $confdir ? But restoring the orginal content, did help. thank you Stefan

Update I see one another thing I did not do, which is not removing both /etc/puppet/ssl and /var/lib/puppet/ssl. I had removed the ssl/ at /var/lib/puppet but not the other. Both seem to be identical copies, based on contents. Your update also clarified $conf dir ... (more)

edit flag offensive delete link more


maybe my update helps to answer your recent questions

Stefan gravatar imageStefan ( 2013-12-13 11:01:22 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-12-05 17:19:04 -0600

Seen: 157,976 times

Last updated: Dec 13 '13