FAQ
Hi!

I've installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm
supplied by yum.puppetlabs.com.

I've setup a apache2 vhost with mod_ssl and passenger. The server is
configured to autosign the cert requests.

The agent installed on the puppetmaster's server works fine. I've a second
agent on a server which can sync with the server too. This server is on
CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. All virtual
machines are configured to join a network bridge. Some iptables rules
forward the traffic from the VM to the world (and vice-et-versa). The world
can connect to the VM (i.e. SSH) and the VM can go to the world.

On the hypervisor, i've a VM on CentOS 6.2 too. The DNS name 'puppet' is
resolved by the hypervisor (which has a dnsmasq server). When i'm launching
the puppet agent for the first time, a cert is generated by the server. The
client has now the certs and key on its filesystem. But when the client is
trying to sync with the server, i've got the following output :
[root@machine-1 ~]# puppet agent --test
info: Creating a new SSL key for machine-1.test.betrancourt.net
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for
machine-1.test.betrancourt.net
info: Certificate Request fingerprint (md5):
BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for machine-1.test.betrancourt.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol
version
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: tlsv1 alert protocol version
[root@machine-1 ~]#

The client cert is into the server cert db :
[root@medion ~]# puppetca list --all | grep machine-1
+ machine-1.test.betrancourt.net
(1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92)

In puppet.conf, on the server, i've the following content:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
pluginsync = true

[master]
autosign = true
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

My apache vhost is configured like this:
<VirtualHost 192.168.1.60:8140>
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSLCertificateFile
/var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache
complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

# The following client headers allow the same configuration to work
with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /

DocumentRoot /etc/puppet/puppetmaster/public

<Directory /etc/puppet/puppetmaster>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>


ErrorLog /var/log/httpd/puppetmaster_error.log
CustomLog /var/log/httpd/puppetmaster_access.log combined
</VirtualHost>

On the clients, the puppet.conf has the following content:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
pluginsync = true

I don't know how solve this problem. I've read the puppet guides about ssl
/ apache / passenger. I don't understand how some clients can use the
server, and not only one of these...

Thanks in advance for your support.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/REt9KRCixokJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Eric Sorenson at Apr 24, 2012 at 5:49 pm
    I suspect something is wrong with the underlying ssl libraries on the
    client with the problem. Does the output of 'rpm -qa | grep ssl' on the
    non-working client look the same as the client which works? How about

    ldd -r `rpm -ql ruby-libs | grep openssl.so`

    ?
    On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas Bétrancourt wrote:

    Hi!

    I've installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm
    supplied by yum.puppetlabs.com.

    I've setup a apache2 vhost with mod_ssl and passenger. The server is
    configured to autosign the cert requests.

    The agent installed on the puppetmaster's server works fine. I've a second
    agent on a server which can sync with the server too. This server is on
    CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. All virtual
    machines are configured to join a network bridge. Some iptables rules
    forward the traffic from the VM to the world (and vice-et-versa). The world
    can connect to the VM (i.e. SSH) and the VM can go to the world.

    On the hypervisor, i've a VM on CentOS 6.2 too. The DNS name 'puppet' is
    resolved by the hypervisor (which has a dnsmasq server). When i'm launching
    the puppet agent for the first time, a cert is generated by the server. The
    client has now the certs and key on its filesystem. But when the client is
    trying to sync with the server, i've got the following output :
    [root@machine-1 ~]# puppet agent --test
    info: Creating a new SSL key for machine-1.test.betrancourt.net
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for ca
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    info: Creating a new SSL certificate request for
    machine-1.test.betrancourt.net
    info: Certificate Request fingerprint (md5):
    BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for machine-1.test.betrancourt.net
    err: Could not retrieve catalog from remote server: SSL_connect returned=1
    errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol
    version
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
    read server session ticket A: tlsv1 alert protocol version
    [root@machine-1 ~]#

    The client cert is into the server cert db :
    [root@medion ~]# puppetca list --all | grep machine-1
    + machine-1.test.betrancourt.net
    (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92)

    In puppet.conf, on the server, i've the following content:
    [main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl

    [agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    pluginsync = true

    [master]
    autosign = true
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

    My apache vhost is configured like this:
    <VirtualHost 192.168.1.60:8140>
    SSLEngine on
    SSLProtocol -all +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    SSLCertificateFile
    /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem
    SSLCertificateKeyFile
    /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
    # CRL checking should be enabled; if you have problems with Apache
    complaining about the CRL, disable the next line
    SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient optional
    SSLVerifyDepth 1
    SSLOptions +StdEnvVars

    # The following client headers allow the same configuration to work
    with Pound.
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    PassengerHighPerformance on
    PassengerStatThrottleRate 120
    PassengerUseGlobalQueue on
    RackAutoDetect Off
    RailsAutoDetect Off
    RackBaseURI /

    DocumentRoot /etc/puppet/puppetmaster/public

    <Directory /etc/puppet/puppetmaster>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
    </Directory>


    ErrorLog /var/log/httpd/puppetmaster_error.log
    CustomLog /var/log/httpd/puppetmaster_access.log combined
    </VirtualHost>

    On the clients, the puppet.conf has the following content:
    [main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl

    [agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    pluginsync = true

    I don't know how solve this problem. I've read the puppet guides about ssl
    / apache / passenger. I don't understand how some clients can use the
    server, and not only one of these...

    Thanks in advance for your support.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Christopher Wood at Apr 24, 2012 at 5:55 pm
    err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0

    I've seen that when the clocks on the two hosts were out of sync. Even when I brought the clocks back into sync I found that I had to regenerate the certs to get it working.

    master:

    puppet cert --clean
    (restart the puppetmaster)

    agent:

    (remove the certs)
    (restart the agent and get the new cert request signed)
    On Tue, Apr 24, 2012 at 10:49:00AM -0700, Eric Sorenson wrote:
    I suspect something is wrong with the underlying ssl libraries on the
    client with the problem. Does the output of 'rpm -qa | grep ssl' on the
    non-working client look the same as the client which works? How about
    ldd -r `rpm -ql ruby-libs | grep openssl.so`
    ?

    On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas B�trancourt wrote:

    Hi!

    I've installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a
    rpm supplied by [1]yum.puppetlabs.com.

    I've setup a apache2 vhost with mod_ssl and passenger. The server is
    configured to autosign the cert requests.

    The agent installed on the puppetmaster's server works fine. I've a
    second agent on a server which can sync with the server too. This server
    is on CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt.
    All virtual machines are configured to join a network bridge. Some
    iptables rules forward the traffic from the VM to the world (and
    vice-et-versa). The world can connect to the VM (i.e. SSH) and the VM
    can go to the world.

    On the hypervisor, i've a VM on CentOS 6.2 too. The DNS name 'puppet' is
    resolved by the hypervisor (which has a dnsmasq server). When i'm
    launching the puppet agent for the first time, a cert is generated by
    the server. The client has now the certs and key on its filesystem. But
    when the client is trying to sync with the server, i've got the
    following output :
    [root@machine-1 ~]# puppet agent --test
    info: Creating a new SSL key for [2]machine-1.test.betrancourt.net
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for ca
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    info: Creating a new SSL certificate request for
    [3]machine-1.test.betrancourt.net
    info: Certificate Request fingerprint (md5):
    BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for [4]machine-1.test.betrancourt.net
    err: Could not retrieve catalog from remote server: SSL_connect
    returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert
    protocol version
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
    read server session ticket A: tlsv1 alert protocol version
    [root@machine-1 ~]#

    The client cert is into the server cert db :
    [root@medion ~]# puppetca list --all | grep machine-1
    + [5]machine-1.test.betrancourt.net
    (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92)

    In puppet.conf, on the server, i've the following content:
    [main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl

    [agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    pluginsync = true

    [master]
    autosign = true
    ssl_client_header        = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

    My apache vhost is configured like this:
    <VirtualHost [6]192.168.1.60:8140>
    SSLEngine on
    SSLProtocol -all +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    SSLCertificateFile
    /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem
    SSLCertificateKeyFile
    /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    # CRL checking should be enabled; if you have problems with Apache
    complaining about the CRL, disable the next line
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient optional
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars

    # The following client headers allow the same configuration to work
    with Pound.
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    PassengerHighPerformance on
    PassengerStatThrottleRate 120
    PassengerUseGlobalQueue on
    RackAutoDetect Off
    RailsAutoDetect Off
    RackBaseURI /

    DocumentRoot /etc/puppet/puppetmaster/public

    <Directory /etc/puppet/puppetmaster>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
    </Directory>

    ErrorLog /var/log/httpd/puppetmaster_error.log
    CustomLog /var/log/httpd/puppetmaster_access.log combined
    </VirtualHost>

    On the clients, the puppet.conf has the following content:
    [main]
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl

    [agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    pluginsync = true

    I don't know how solve this problem. I've read the puppet guides about
    ssl / apache / passenger. I don't understand how some clients can use
    the server, and not only one of these...

    Thanks in advance for your support.

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    [7]https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    References

    Visible links
    1. http://yum.puppetlabs.com/
    2. http://machine-1.test.betrancourt.net/
    3. http://machine-1.test.betrancourt.net/
    4. http://machine-1.test.betrancourt.net/
    5. http://machine-1.test.betrancourt.net/
    6. http://192.168.1.60:8140/
    7. https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedApr 22, '12 at 9:31a
activeApr 24, '12 at 5:55p
posts3
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase