FAQ
Hello list,

I am having an issue where a puppet agent on a client complains that
clocks are out of sync between it and it's master -

err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed. This is often
because the time is out of sync on the server or client
err: Could not remove PID file /var/lib/puppet/run/agent.pid

However without any doubt the clocks are in sync

- date from puppet client
Saturday, June 23, 2012 01:48:26 PM EDT
-date from puppet server
Sat Jun 23 13:48:26 EDT 2012


I ran the following command for the first time on the client,

puppet agent --server puppet01-ops.ops.example.com --waitforcert 60
--test --debug

and was able to generate and approve a cert request on the puppet
server. But it failed the first and all subsequent attempts with the
error message I show above.

The master and client do run different operating systems. The server
is a RHEL 5.5 and the client is solaris 10

-server
[puppet01-ops:~] root% cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

[puppet01-ops:~] root% uname -a
Linux puppet01-ops 2.6.18-194.el5 #1 SMP Mon Mar 29 22:10:29 EDT 2010
x86_64 x86_64 x86_64 GNU/Linux

-client
[splunk-indx01:~] root% uname -a
SunOS splunk-indx01 5.10 Generic_147441-19 i86pc i386 i86pc

here is a verbose output of the puppet run on the client -

[splunk-indx01:~] root% puppet agent --server
puppet01-ops.ops.example.com --waitforcert 60 --test --debug
debug: Failed to load library 'shadow' for feature 'libshadow'
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderUseradd: file chage does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file
/usr/bin/dscl does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Failed to load library 'ldap' for feature 'ldap'
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
File[/etc/puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state/graphs]: Autorequiring
File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/client_data]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/run/agent.pid]: Autorequiring
File[/var/lib/puppet/run]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state/last_run_summary.yaml]:
Autorequiring File[/var/lib/puppet/state]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/certs]
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
debug: Finishing transaction 73965420
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/public_keys]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
File[/etc/puppet/ssl/certs]
debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
debug: Finishing transaction 73477900
debug: Using cached certificate for ca
debug: Using cached certificate for splunk-indx01.example.com
debug: Finishing transaction 73257990
debug: catalog supports formats: b64_zlib_yaml dot marshal pson raw
yaml; using pson
debug: Using cached certificate for ca
debug: Using cached certificate for splunk-indx01.example.com
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed. This is often because the time is out of sync on the
server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
Executing 'diff -u /var/lib/puppet/state/last_run_summary.yaml
/tmp/puppet-file20120623-2172-1qxtgsx-0'
notice: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
--- /var/lib/puppet/state/last_run_summary.yaml Sat Jun 23 13:24:22 2012
+++ /tmp/puppet-file20120623-2172-1qxtgsx-0 Sat Jun 23 13:28:11 2012
@@ -1,6 +1,6 @@
---
time:
- last_run: 1340472262
+ last_run: 1340472491
version:
puppet: 2.7.10
config:

debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
content changed '{md5}01f5ac2f7e8284d63a9e78fbf8340024' to
'{md5}0d3057c2e97d43533f2ab9c65dd2bfa1'
debug: Finishing transaction 74116410
debug: Value of 'preferred_serialization_format' (pson) is invalid for
report, using default (marshal)
debug: report supports formats: b64_zlib_yaml marshal raw yaml; using marshal
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed. This is often
because the time is out of sync on the server or client
err: Could not remove PID file /var/lib/puppet/run/agent.pid



So far, I've attempted to rm -rf the /var/lib/puppet/ssl directory on
the CLIENT side :) and run a puppet cert --clean ${CLIENT_NAME}
command on the master, then re-run the original command on the client
(puppet agent --server puppet01-ops.ops.example.com --waitforcert 60
--test --debug).

The puppet server is currently controlling a number of nodes, and all
the nodes are solaris. I've had a look at the server certificate with
the openssl s_client -connect ${SERVER} command from both a working
puppet client running solaris and the non-working one that I am
attempting to setup: both outputs appear to be identical.

I was just wondering if there might be anything that I missed or
anything else I could try to get this working.


Thanks
Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Felix Frank at Jun 27, 2012 at 8:24 am
    Hi,
    On 06/23/2012 10:17 PM, Tim Dunphy wrote:
    The puppet server is currently controlling a number of nodes, and all
    the nodes are solaris. I've had a look at the server certificate with
    the openssl s_client -connect ${SERVER} command from both a working
    puppet client running solaris and the non-working one that I am
    attempting to setup: both outputs appear to be identical.
    good call. Next step for me would be to "openssl x509" examine all newly
    cached certificates on the client.

    Is the stored master cert identical to the one presented? Is it signed
    by the same ca as the node cert? etc.
    It's certainly helpful to get a feel for how the certificates relate and
    what puppet does to check everything.

    Regards,
    Felix

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Steve Traylen at Jun 28, 2012 at 7:00 pm

    On Saturday, 23 June 2012 22:17:24 UTC+2, bluethundr wrote:
    Hello list,

    I am having an issue where a puppet agent on a client complains that
    clocks are out of sync between it and it's master -

    err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
    read server certificate B: certificate verify failed. This is often
    because the time is out of sync on the server or client
    err: Could not remove PID file /var/lib/puppet/run/agent.pid

    However without any doubt the clocks are in sync

    - date from puppet client
    Saturday, June 23, 2012 01:48:26 PM EDT
    -date from puppet server
    Sat Jun 23 13:48:26 EDT 2012
    Hi,

    Do you have a ruby version mismatch ?

    http://projects.puppetlabs.com/issues/9084

    can cause this in a mixed ruby 1.8 and 1.9 world.

    I ran the following command for the first time on the client,

    puppet agent --server puppet01-ops.ops.example.com --waitforcert 60
    --test --debug

    and was able to generate and approve a cert request on the puppet
    server. But it failed the first and all subsequent attempts with the
    error message I show above.

    The master and client do run different operating systems. The server
    is a RHEL 5.5 and the client is solaris 10

    -server
    [puppet01-ops:~] root% cat /etc/redhat-release
    Red Hat Enterprise Linux Server release 5.5 (Tikanga)

    [puppet01-ops:~] root% uname -a
    Linux puppet01-ops 2.6.18-194.el5 #1 SMP Mon Mar 29 22:10:29 EDT 2010
    x86_64 x86_64 x86_64 GNU/Linux

    -client
    [splunk-indx01:~] root% uname -a
    SunOS splunk-indx01 5.10 Generic_147441-19 i86pc i386 i86pc

    here is a verbose output of the puppet run on the client -

    [splunk-indx01:~] root% puppet agent --server
    puppet01-ops.ops.example.com --waitforcert 60 --test --debug
    debug: Failed to load library 'shadow' for feature 'libshadow'
    debug: Puppet::Type::User::ProviderLdap: true value when expecting false
    debug: Puppet::Type::User::ProviderUseradd: file chage does not exist
    debug: Puppet::Type::User::ProviderDirectoryservice: file
    /usr/bin/dscl does not exist
    debug: Puppet::Type::User::ProviderPw: file pw does not exist
    debug: Failed to load library 'selinux' for feature 'selinux'
    debug: Failed to load library 'ldap' for feature 'ldap'
    debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring
    File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
    debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring
    File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
    File[/etc/puppet/ssl/certs]
    debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]:
    Autorequiring File[/etc/puppet/ssl/private_keys]
    debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/state/graphs]: Autorequiring
    File[/var/lib/puppet/state]
    debug: /File[/var/lib/puppet/client_yaml]: Autorequiring
    File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]:
    Autorequiring File[/etc/puppet/ssl/public_keys]
    debug: /File[/var/lib/puppet/client_data]: Autorequiring
    File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
    debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
    File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/run/agent.pid]: Autorequiring
    File[/var/lib/puppet/run]
    debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/state/last_run_summary.yaml]:
    Autorequiring File[/var/lib/puppet/state]
    debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]:
    Autorequiring File[/etc/puppet/ssl/certs]
    debug: /File[/var/lib/puppet/clientbucket]: Autorequiring
    File[/var/lib/puppet]
    debug: Finishing transaction 73965420
    debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring
    File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
    File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/certs/splunk-indx01.example.com.pem]:
    Autorequiring File[/etc/puppet/ssl/certs]
    debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
    debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring
    File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/public_keys/splunk-indx01.example.com.pem]:
    Autorequiring File[/etc/puppet/ssl/public_keys]
    debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
    File[/etc/puppet/ssl/certs]
    debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/private_keys/splunk-indx01.example.com.pem]:
    Autorequiring File[/etc/puppet/ssl/private_keys]
    debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
    debug: Finishing transaction 73477900
    debug: Using cached certificate for ca
    debug: Using cached certificate for splunk-indx01.example.com
    debug: Finishing transaction 73257990
    debug: catalog supports formats: b64_zlib_yaml dot marshal pson raw
    yaml; using pson
    debug: Using cached certificate for ca
    debug: Using cached certificate for splunk-indx01.example.com
    err: Could not retrieve catalog from remote server: SSL_connect
    returned=1 errno=0 state=SSLv3 read server certificate B: certificate
    verify failed. This is often because the time is out of sync on the
    server or client
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
    Executing 'diff -u /var/lib/puppet/state/last_run_summary.yaml
    /tmp/puppet-file20120623-2172-1qxtgsx-0'
    notice: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
    --- /var/lib/puppet/state/last_run_summary.yaml Sat Jun 23 13:24:22 2012
    +++ /tmp/puppet-file20120623-2172-1qxtgsx-0 Sat Jun 23 13:28:11 2012
    @@ -1,6 +1,6 @@
    ---
    time:
    - last_run: 1340472262
    + last_run: 1340472491
    version:
    puppet: 2.7.10
    config:

    debug: /File[/var/lib/puppet/state/last_run_summary.yaml]/content:
    content changed '{md5}01f5ac2f7e8284d63a9e78fbf8340024' to
    '{md5}0d3057c2e97d43533f2ab9c65dd2bfa1'
    debug: Finishing transaction 74116410
    debug: Value of 'preferred_serialization_format' (pson) is invalid for
    report, using default (marshal)
    debug: report supports formats: b64_zlib_yaml marshal raw yaml; using
    marshal
    err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
    read server certificate B: certificate verify failed. This is often
    because the time is out of sync on the server or client
    err: Could not remove PID file /var/lib/puppet/run/agent.pid



    So far, I've attempted to rm -rf the /var/lib/puppet/ssl directory on
    the CLIENT side :) and run a puppet cert --clean ${CLIENT_NAME}
    command on the master, then re-run the original command on the client
    (puppet agent --server puppet01-ops.ops.example.com --waitforcert 60
    --test --debug).

    The puppet server is currently controlling a number of nodes, and all
    the nodes are solaris. I've had a look at the server certificate with
    the openssl s_client -connect ${SERVER} command from both a working
    puppet client running solaris and the non-working one that I am
    attempting to setup: both outputs appear to be identical.

    I was just wondering if there might be anything that I missed or
    anything else I could try to get this working.


    Thanks
    Tim

    --
    GPG me!!

    gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/KPEwOhEKZe8J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 23, '12 at 8:17p
activeJun 28, '12 at 7:00p
posts3
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase