Ask Your Question
1

puppet client server - couldnt able to verify certificate

asked 2014-05-05 05:35:32 -0500

Ramkumar Nagaraj gravatar image

updated 2014-05-05 08:50:49 -0500

ffrank gravatar image

We tried to setup puppet client-server architecture setup by installing puppet-server (through Yum repository) in puppet master and puppet (through Yum repository) in another server (client) machine. During this client is trying to receive the signed certificate from puppet-master server it failed with following error:

Puppet master:

[root@puppet-master ~]# puppetca --list
  "puppet-client1" (BF:56:F7:B3:FB:CA:6A:9A:44:9B:9E:0C:BE:F3:5D:FD)
[root@puppet-master ~]# puppetca --sign puppet-client1
notice: Signed certificate request for puppet-client1
notice: Removing file Puppet::SSL::CertificateRequest puppet-client1 at '/var/lib/puppet/ssl/ca/requests/puppet-client1.pem'

Puppet Client:

[root@puppet-client1 ~]# puppet agent --verbose  --logdest console --no-daemonize --server=puppet-master
info: Creating a new SSL key for puppet-client1
info: Caching certificate for ca
info: Creating a new SSL certificate request for puppet-client1
info: Certificate Request fingerprint (md5): BF:56:F7:B3:FB:CA:6A:9A:44:9B:9E:0C:BE:F3:5D:FD
notice: Did not receive certificate
info: Caching certificate for puppet-client1
notice: Starting Puppet client version 2.7.23
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server     certificate B: certificate verify failed: [certificate signature failure for /CN=puppet-master]
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=puppet-master]

Rgrds, Ram.

edit retag flag offensive close merge delete

Comments

Has the agent perhaps connected to a different master before? The agent may have an outdated CA certificate or CRL cached, for example. Also, what is the CN of the master's certificate?

ffrank gravatar imageffrank ( 2014-05-05 08:52:59 -0500 )edit

No these are freshly installed system and puppet setup is done first time so this agent was not connected to any master before. how can i get CN of master's certificate?

Ramkumar Nagaraj gravatar imageRamkumar Nagaraj ( 2014-05-06 03:20:33 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2014-05-05 11:17:06 -0500

doc75 gravatar image

Did you check this troubleshooting section ? => Cert Troubleshooting

edit flag offensive delete link more

Comments

Yes i tried that but still it couldnt fix. there is no time lag between client and master. Both are running at same time.

Ramkumar Nagaraj gravatar imageRamkumar Nagaraj ( 2014-05-06 03:21:10 -0500 )edit

The certificate is ok. [root@b-webapp1 ~]# openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/b-webapp1.fastenal.com.pem /var/lib/puppet/ssl/certs/b-webapp1.fastenal.com.pem: OK

Ramkumar Nagaraj gravatar imageRamkumar Nagaraj ( 2014-05-06 03:25:22 -0500 )edit

Are you sure that puppet-master resolve to the correct IP address on the client ?

doc75 gravatar imagedoc75 ( 2014-05-06 05:57:20 -0500 )edit

So your agent cert checks out, but apparently the agent takes issue with the CN=puppet-master cert. Does that verify OK vs. the CA cert?

ffrank gravatar imageffrank ( 2014-05-06 11:15:34 -0500 )edit

Yes puppetmaster is able to resolve correct IP address of the client. Peer to peer communication using telnet, ping is fine between these both servers. Yes openssl cert verify for the puppet master also in OK state so no issues in these individual certs.

Ramkumar Nagaraj gravatar imageRamkumar Nagaraj ( 2014-05-07 01:52:40 -0500 )edit
1

answered 2014-05-12 05:22:02 -0500

Ramkumar Nagaraj gravatar image

i reconfigured puppet.conf file to reflect the puppet master name and then removed the ssl directory in the client server. Post that re initiated certificate request and it went smoother.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-05-05 05:35:32 -0500

Seen: 2,264 times

Last updated: May 12 '14