FAQ
I regenerated the puppetdb certs according to the instructions here:

Step 3, Option B

https://docs.puppetlabs.com/puppetdb/0.9/install_from_source.html#step-3-option-b-manually-create-a-keystore-and-truststore

And can verify the cert manually using openssl client

#echo "QUIT" | openssl s_client -connect puppetdb:8081 -CAfile
/etc/ssl/certs/puppetdb.pem |grep Verify
Verify return code: 0 (ok)

However I still get the following:

err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed to submit 'replace facts' command for host23.example.com to PuppetDB
at puppetdb:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed: [certificate signature failure
for /CN=puppetdb]

Where do I place the certs so they are validated by the puppetdb terminus?


--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/uqqpL4YG9g8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Ken Barber at Jan 18, 2013 at 5:24 pm
    Hi Chris,
    I regenerated the puppetdb certs according to the instructions here:

    Step 3, Option B

    https://docs.puppetlabs.com/puppetdb/0.9/install_from_source.html#step-3-option-b-manually-create-a-keystore-and-truststore

    And can verify the cert manually using openssl client

    #echo "QUIT" | openssl s_client -connect puppetdb:8081 -CAfile
    /etc/ssl/certs/puppetdb.pem |grep Verify
    Verify return code: 0 (ok)

    However I still get the following:

    err: Could not retrieve catalog from remote server: Error 400 on SERVER:
    Failed to submit 'replace facts' command for host23.example.com to PuppetDB
    at puppetdb:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server
    certificate B: certificate verify failed: [certificate signature failure for
    /CN=puppetdb]

    Where do I place the certs so they are validated by the puppetdb terminus?
    The puppetdb terminus should utilise the certificates from the Puppet
    master instance it is running from. So from a client/terminus
    perspective, you shouldn't have to do anything.

    It feels like its the certificates on the puppetdb server that is
    having trouble. What are the full results of this command, when ran
    from the puppetmaster itself?

    openssl s_client -connect puppetdb:8081 -CAfile
    /var/lib/puppet/ssl/ca/ca_crt.pem

    Note: I'm specifying the CA file to be the CA on the puppetmaster in
    this case which is what the puppetdb terminus should use, I wasn't
    quite sure /etc/ssl/certs/puppetdb.pem in your case was the correct CA
    PEM. Either way, I'm interested in the full output using the
    Puppetmasters CA specifically as this is what the puppetdb
    terminus/client will use.

    Also, what about the contents of the keystore on the puppetdb server
    that you configured with those instructions you specified? This is for
    example what mine looks like (with the key identifier section
    removed):

    # keytool -list -v -keystore /etc/puppetdb/ssl/keystore.jks
    Enter keystore password:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: puppetdb1.vm
    Creation date: 10-Jan-2013
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=puppetdb1.vm
    Issuer: CN=Puppet CA: puppetdb1.vm
    Serial number: 2
    Valid from: Wed Jan 09 18:49:41 GMT 2013 until: Tue Jan 09 18:49:41 GMT 2018
    Certificate fingerprints:
    MD5: 5A:CB:F2:5E:84:27:E8:49:BF:0E:83:3A:3A:A8:EA:09
    SHA1: 8F:CA:36:99:93:9F:DB:04:B6:5F:67:45:70:0C:D0:B1:B1:D7:35:D2
    SHA256: D0:C4:C5:D4:FA:14:37:B1:74:F5:D9:EB:78:E0:26:71:06:2F:98:E4:EA:BC:22:6C:E6:40:A4:5A:5E:C5:77:8D
    Signature algorithm name: SHA1withRSA
    Version: 3
    Extensions:

    #1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
    0000: 16 28 50 75 70 70 65 74 20 52 75 62 79 2F 4F 70 .(Puppet Ruby/Op
    0010: 65 6E 53 53 4C 20 49 6E 74 65 72 6E 61 6C 20 43 enSSL Internal C
    0020: 65 72 74 69 66 69 63 61 74 65 ertificate

    #2: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    ]

    #3: ObjectId: 2.5.29.37 Criticality=true
    ExtendedKeyUsages [
    serverAuth
    clientAuth
    ]

    #4: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    ]

    #5: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
    DNSName: puppet
    DNSName: puppet.vm
    DNSName: puppetdb1.vm
    ]

    (I've removed the key identifier)

    I'm primarily curious to see that the file is in a valid format, and
    that the issuer is the CA of your puppetmaster. Like mine shows under
    the 'Issuer' part. Generally this is what the designation 'signature'
    is all about, referenced in your error message 'certificate signature
    failure for /CN=puppetdb'.

    Beyond that, we'll want to make sure the CA you have in your
    truststore matches the CA on the puppetmaster:

    puppetdb # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
    Enter keystore password:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    puppetdb ca, 10-Jan-2013, trustedCertEntry,
    Certificate fingerprint (SHA1):
    84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12

    puppetmaster # openssl x509 -noout -in
    /var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint
    SHA1 Fingerprint=84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12

    If these don't match, then your truststore contains the wrong CA file.

    ken.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJan 16, '13 at 6:43p
activeJan 18, '13 at 5:24p
posts2
users2
websitepuppetlabs.com

2 users in discussion

Chris mague: 1 post Ken Barber: 1 post

People

Translate

site design / logo © 2022 Grokbase