Puppet Device unable to get local issuer certificate
OK figured it out.
As I said I cleared and regenerated Puppets certs BUT what I didn't do was clear:
/opt/puppetlabs/puppet/cache/devices/
Puppet cached an old cert for the device so it was trying to use that one instead of generating a new one.
After deleting the contents of that folder I was able to run puppet device
Related videos on Youtube
![Geoffrey McCosker](https://i.stack.imgur.com/SaKTp.jpg?s=256&g=1)
Geoffrey McCosker
Updated on September 18, 2022Comments
-
Geoffrey McCosker almost 2 years
I installed puppet 4.3 and centos7 to use Puppet Device to manage Cisco routers. The server hostname is "puppetmaster" (by running
hostnamectl puppetmaster
) The centos server is running puppet master and agent.After setting everything up and configuring device.conf when I run sudo puppet device --debug I see these errors:
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster] Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
I can run
puppet agent --test
on the server successfully:sudo puppet agent --test Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for puppetmaster Info: Applying configuration version '1449189804'
Here is my /etc/puppetlabs/puppet/device.conf
[r1] type cisco url telnet://puppet:123456@r1/
Here is my /etc/puppetlabs/puppet/puppet.conf
[master] vardir = /opt/puppetlabs/server/data/puppetserver logdir = /var/log/puppetlabs/puppetserver rundir = /var/run/puppetlabs/puppetserver pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid codedir = /etc/puppetlabs/code dns_alt_names = puppetmaster [agent] certname = puppetmaster server = puppetmaster
This has to be some kind of cert problem, like a name mismatch, but I don't know what could be causing it. The agent is running on the same server as the master and I set all the configs correctly (at least I think I did).
Here is the cert returned by puppet:
sudo puppet cert --print --all | grep CN Issuer: CN=Puppet CA: puppetmaster Subject: CN=puppetmaster
Here are the raw ca.pem and puppetmaster.pem certs:
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -noout -text | grep CN Issuer: CN=Puppet CA: puppetmaster Subject: CN=Puppet CA: puppetmaster DirName:/CN=Puppet CA: puppetmaster openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem -noout -text | grep CN Issuer: CN=Puppet CA: puppetmaster Subject: CN=puppetmaster
When I run openssl to verify the cert I see the same error:
sudo openssl verify -CApath /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem: CN = puppetmaster error 20 at 0 depth lookup:unable to get local issuer certificate
I confirmed by config settings and went through the process to clean the certs (mulitple times) but no dice.