Puppet Device unable to get local issuer certificate

centos puppet openssl puppetmaster puppet-agent

12,640

OK figured it out.

As I said I cleared and regenerated Puppets certs BUT what I didn't do was clear:

/opt/puppetlabs/puppet/cache/devices/

Puppet cached an old cert for the device so it was trying to use that one instead of generating a new one.

After deleting the contents of that folder I was able to run puppet device

12,640

Geoffrey McCosker

Updated on September 18, 2022

Comments

Geoffrey McCosker almost 2 years

I installed puppet 4.3 and centos7 to use Puppet Device to manage Cisco routers. The server hostname is "puppetmaster" (by running hostnamectl puppetmaster) The centos server is running puppet master and agent.

After setting everything up and configuring device.conf when I run sudo puppet device --debug I see these errors:

Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]

I can run puppet agent --test on the server successfully:

sudo puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetmaster
Info: Applying configuration version '1449189804'

Here is my /etc/puppetlabs/puppet/device.conf

[r1]
type cisco
url telnet://puppet:123456@r1/

Here is my /etc/puppetlabs/puppet/puppet.conf

[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names = puppetmaster

[agent]
certname = puppetmaster
server = puppetmaster

This has to be some kind of cert problem, like a name mismatch, but I don't know what could be causing it. The agent is running on the same server as the master and I set all the configs correctly (at least I think I did).

Here is the cert returned by puppet:

 sudo puppet cert --print --all | grep CN
        Issuer: CN=Puppet CA: puppetmaster
        Subject: CN=puppetmaster

Here are the raw ca.pem and puppetmaster.pem certs:

openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -noout -text | grep CN
        Issuer: CN=Puppet CA: puppetmaster
        Subject: CN=Puppet CA: puppetmaster
                DirName:/CN=Puppet CA: puppetmaster
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem -noout -text | grep CN
        Issuer: CN=Puppet CA: puppetmaster
        Subject: CN=puppetmaster

When I run openssl to verify the cert I see the same error:

sudo openssl verify -CApath /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem

/etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem: CN = puppetmaster
error 20 at 0 depth lookup:unable to get local issuer certificate

I confirmed by config settings and went through the process to clean the certs (mulitple times) but no dice.