Ask Your Question

SSL Error after PE 3.0.0 to PE 3.2.0 Upgrade

asked 2014-03-06 10:16:28 -0600

derevan@cisco gravatar image

updated 2014-03-06 20:11:53 -0600

Stefan gravatar image

I upgraded from PE 3.0.0 to PE 3.2.0 (via PE 3.0.1 per upgrade notes). I now get the following errors during puppet agent runs:

Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert decrypt error

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for cscomwk6.tidalsoft.local to PuppetDB at puppetmaster3.tidalsoft.local:8081: SSL_connect returned=1 errno=0 state=SSLv3 ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2014-03-06 20:11:15 -0600

Stefan gravatar image

The error indicates that you puppet master cannot speak to PuppetDB. The communication between the puppet master process and puppetdb is SSL encrypted and PuppetDB will use the same certificates as your puppet agent (even if PuppetDB is installed on the same host as your puppet master)

However, older versions of PuppetDB (prior to 1.4) have a seperate SSL directory with a java truststore and keystore where it holds a copy of the agents certificate. If you now change the certificates on the server that is running PuppetDB, the keystore will now contain an invalid certificate. Newer versions of ... (more)

edit flag offensive delete link more


Thanks for the help. That certainly fixed the problem with PuppetDB. But now I am having a basic problem running "puppet agent -t". Error is: Warning: Unable to fetch my ...(more)

derevan@cisco gravatar imagederevan@cisco ( 2014-03-07 18:03:25 -0600 )edit

If regenerating master and client cert does not work, please post the apache vhost configuration of your puppetmaster. Maybe your SSL settings are incorrect.

Stefan gravatar imageStefan ( 2014-03-08 05:45:26 -0600 )edit

I compared with a working puppet master and they are identical except for the CN name, which is correct. I am going to try installing 3.2 from scratch, rather ...(more)

derevan@cisco gravatar imagederevan@cisco ( 2014-03-08 10:02:16 -0600 )edit

answered 2014-03-08 10:37:50 -0600

derevan@cisco gravatar image

I ended up re-installing my puppet master. everything is fine now.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-03-06 10:16:28 -0600

Seen: 573 times

Last updated: Mar 08 '14