Ask Your Question

SSL cert self signed error

asked 2014-01-02 18:07:32 -0600

rroot gravatar image

updated 2014-01-02 18:09:20 -0600


I recently attended the puppet fundamentals class and looking to turn the existing master Vbox vm we configured and used in the lab as a local master to other Vbox nodes. Every time i run a agent connection to my master with this command: puppet agent --test --server=cr.puppetlabs.vm


Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA generated on classroom.puppetlabs.vm at 2013-12-10 10:42 ...
edit retag flag offensive close merge delete


Was your problem solved? If so, you should mark an answer as accepted.

spuder gravatar imagespuder ( 2014-09-29 17:58:34 -0600 )edit

4 Answers

Sort by ยป oldest newest most voted

answered 2014-06-26 13:48:11 -0600

updated 2014-09-29 17:54:30 -0600

spuder gravatar image

Your quickest solution is to remove the Puppet SSL directories on the Puppet clients and then regenerate the certificates again. Here's an example on the agent:

# Determine my ssldir (It's different with Puppet Enterprise, Puppet OSS or your local environment
[root@agent1 ~]# puppet agent --configprint ssldir
# Remove the ssl directory
[root@agent1 ~]# mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old 
[root@agent1 ~]# puppet agent --test
Info: Creating a new SSL key for
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for
Info: Certificate Request fingerprint (SHA256): 16:AA:BB:CC:DD:EE:FF:GG:HH:II:JJ:KK:LL:MM:NN::90:1A
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
[root@agent1 ~]#

And then on the master, sign the certificates again.

This is a common problem in desktop virtualization environments, because as we struggle to fit our VMs into our virtual lab environment the hostname for the VM can change due to our configuration, how DHCP is configured, strangeness with DNS in a VM environment, etc. For example, VMWare assigned the hostname to one of my agents when I was on the train, but when I returned to the office VMWare set the hostname to be

edit flag offensive delete link more


I'm having the same problem in my production environment. Do we've any alternate solutions for this?

jag gravatar imagejag ( 2017-11-28 21:19:41 -0600 )edit

answered 2014-01-15 23:31:07 -0600

rjc gravatar image

Check /opt/puppet, /var/puppet, /var/lib/puppet and their subdirectories for old SSL certificates.

P.S. It might be easier to remove all packages and start afresh.

edit flag offensive delete link more

answered 2017-12-06 01:47:49 -0600

manoharreddyg gravatar image

updated 2017-12-06 01:48:11 -0600

try this on puppet agent

puppet agent --waitforcert=100 or puppet agent --server master-server --waitforcert 60 --test

edit flag offensive delete link more


No, this won't work. The problem as shown in the message is that the certificate validation is failing. Waiting for a longer period of time won't help.

stefanlasiewski gravatar imagestefanlasiewski ( 2018-07-05 13:51:04 -0600 )edit

answered 2015-02-11 15:37:53 -0600

I have this problem on a node. I had previously used the node as a master. I uninstalled puppet and created a new certificate after re-installing. I then go to the master and sign the cert. I get this error. I do not get this error on any of my other nodes. The time on the machines is identical, and I've gone through these steps many times - erase the ssl directory on the agent, clean the cert on the master, but I always get this error.

edit flag offensive delete link more



Yeah i thought so too, Im playing around with creating a new Puppet Master but wanted to re-assign a node to the old Puppet Master. So the old way of clearing the /var/lib/puppet/ssl/* did not work. Then reinstalling the puppet package failed. What did work for me is removing /etc/puppet/ssl/*

Shiver1976 gravatar imageShiver1976 ( 2015-06-24 13:12:33 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-01-02 18:07:32 -0600

Seen: 30,533 times

Last updated: Dec 06 '17