1

I`ve trouble to setup a master/node scenario with puppet 3.3.1 (puppet opensource) on both master and slaves. The slaves are on a windows and SLES machine. The Master is also on a SLES machine.

The problem: The first time I start the agent, it creates a new certificate and sends it to the master. On the master I can see the certificate request and accept it. When I start the agent again then this message appears:

Running Puppet agent on demand ...
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: c
ertificate verify failed: [certificate signature failure for /CN=my-master.com]
Info: Retrieving plugin
Error: /File[C:/Dokumente und Einstellungen/All Users/Anwendungsdaten/PuppetLabs
/puppet/var/lib]: Failed to generate additional resources using 'eval_generate':
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certifica
te verify failed: [certificate signature failure for /CN=my-master.com]
Error: /File[C:/Dokumente und Einstellungen/All Users/Anwendungsdaten/PuppetLabs
/puppet/var/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate signature fa
ilure for /CN=my-master.com] Could not retrieve file metadata f
or puppet://my-master.com/plugins: SSL_connect returned=1 errno
=0 state=SSLv3 read server certificate B: certificate verify failed: [certificat
e signature failure for /CN=my-master.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 err
no=0 state=SSLv3 read server certificate B: certificate verify failed: [certific
ate signature failure for /CN=my-master.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read se
rver certificate B: certificate verify failed: [certificate signature failure fo
r /CN=my-master.com]

The wired thing is that it already worked but now it does not. These steps I`ve already tried to fix this problem:

  • Synchronized the clocks / date on all three servers.
  • Removed everything in /var/lib/puppet/.puppet/ssl on the master
  • Removed everything in /var/lib/puppet/ssl on the nodes
  • Restarted the master service several times.
  • The same error on both nodes (SLES and windows)
  • Puppet agent certificate verify failure didn`t fix the problem
Community
  • 1
Michel
  • 11
  • 2

1 Answers1

0

Find what each side considers to be the active CA

  • on the master puppet master --configprint cacert
  • on the agent puppet agent --configprint cacert

Make sure that the agents trust the same CA that the master uses for signing. If in doubt, replace the copy on the agent. It should then accept a freshly signed certificate.

For a clean slate, you should only

  1. remove all $(facter fqdn).pem files from $ssldir on the agent
  2. puppet cert clean <fqdn> on the master

The agent should then issue yet another CSR, and if its copy of the CA is definitely in sync, it should then finally accept the certificate.

Felix Frank
  • 3,063
  • 1
  • 15
  • 22