Puppet: certificate verify failed

puppet puppetmaster
22,167

Apparently the problem lied in the fact that Apache was still running (and thus having a puppet master spawned via Passenger).

MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 stop
[ ok ] Stopping web server: apache2 ... waiting .
MASTER /etc/apache2/sites-enabled # puppet cert clean --all
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/ca/signed/puppet.x.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/certs/puppet.x.pem'
Notice: Removing file Puppet::SSL::Key puppet.x at '/var/lib/puppet/ssl/private_keys/puppet.x.pem'
MASTER /etc/apache2/sites-enabled # puppet master --no-daemonize --verbose
Info: Creating a new SSL key for puppet.x
Info: Creating a new SSL certificate request for puppet.x
Info: Certificate Request fingerprint (SHA256): DB:8C:2D:71:54:C4:B7:03:79:38:E2:26:94:51:12:89:6F:E0:24:AC:F2:16:C0:5A:7A:B6:7D:4F:DD:6C:98:0D
Notice: puppet.x has a waiting certificate request
Notice: Signed certificate request for puppet.x
Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/ca/requests/puppet.x.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/certificate_requests/puppet.x.pem'
Notice: Starting Puppet master version 3.1.1
^CNotice: Caught INT; calling stop
MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 restart
[ ok ] Restarting web server: apache2.
MASTER /etc/apache2/sites-enabled # puppet cert sign --all
Notice: Signed certificate request for efikamx-561a37.x
Notice: Removing file Puppet::SSL::CertificateRequest efikamx-561a37.x at '/var/lib/puppet/ssl/ca/requests/efikamx-561a37.x.pem'

And now I can correctly generate and sign the keys on the client:

CLIENT ~ # rm -rf /var/lib/puppet/ssl/*
CLIENT ~ # puppet agent -t
info: Creating a new SSL key for efikamx-9ba3ab.x.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for efikamx-9ba3ab.x.com
info: Certificate Request fingerprint (md5): 8C:9E:6E:95:B8:70:B9:A2:98:CB:A5:87:BC:66:33:A4
Exiting; no certificate found and waitforcert is disabled
CLIENT ~ # puppet agent --no-daemonize  --onetime --verbose --waitforcert 60
info: Caching certificate for efikamx-9ba3ab.x.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for efikamx-9ba3ab.x.com
info: Applying configuration version '1373327419'
notice: /Stage[essential]/Efikamx-repository/File[/etc/apt/sources.list.d/multistrap-stable.list]/content: content changed '{md5}fbba0743add1cb9e54f7484b2c7a1f59' to '{md5}5941829a1b3a18b02f5bd6367e36e635'
[...]
Share:
22,167

Related videos on Youtube

Tuinslak
Author by

Tuinslak

Updated on September 18, 2022

Comments

  • Tuinslak
    Tuinslak almost 2 years

    Due to a screw up, I have to regenerate client & server certificates.

    As far as I know, the master certificates are automatically generated.

    So I generated keys on the client:

    MASTER # puppet cert clean --all
Notice: Revoked certificate with serial 2
Notice: Revoked certificate with serial 6
Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/ca/signed/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/certs/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Key puppet.x.com at '/var/lib/puppet/ssl/private_keys/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/signed/efikamx-9ba3ab.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/certs/efikamx-9ba3ab.x.com.pem'

puppet agent --no-daemonize  --onetime --verbose --waitforcert 60 
notice: Did not receive certificate
info: Caching certificate for efikamx-561a37.botnet.corp.flatturtle.com
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

MASTER # puppet cert sign --all
Notice: Signed certificate request for efikamx-9ba3ab.x.com
Notice: Removing file Puppet::SSL::CertificateRequest efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/requests/efikamx-9ba3ab.x.com.pem'

CLIENT # puppet agent -t
info: Caching certificate for efikamx-9ba3ab.x.com
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

    Before you ask, yes, ntp is running and both clients have the correct time.

    What's the correct way to purge all the certificates on both ends and correctly regenerate everything?

    I've ran:

    find /var/lib/puppet -type f -print0 |xargs -0r rm

    and

    rm -rf /var/lib/puppet/ssl/*

    on the client, but that did not help.

    This is a mixture of Puppet 2 and Puppet 3 by the way.

    • Zoredache
      Zoredache almost 11 years
      When you say mixture of puppet 2 & 3, which one is v3? The docs strongly suggest that the puppetmaster should always be newer than any clients.
    • Tuinslak
      Tuinslak almost 11 years
      The master is version 3.1.1; the clients are either 2.7.x or 3.x (right now, I'm testing with two 2.7 clients)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Puppet error : Could not create master.pid
How can I fix invalid parameter errors in puppet manifests?
Foreman displays a server as "out of sync", what could be the reason and what is the right way to troubleshoot such an issue?
Puppet:Could not find default node or by name with node test2
Puppet: How to fix "Invalid resource type file_line"?
Puppet not applying config but returns without error
Puppet agent -t results in error: Failed to generate additional resources using 'eval_generate:
Puppet gives SSL error because master is not running?
Setting up puppetmaster: hostname was not match with the server certificate
Puppet server hostname does not match certificate - can't authenticate. How to disable puppet authentication?