FAQ
Hi ... my head hurts! Sorry this is a bit long, but I hope it has all the
relevant evidence.


I am getting this error on my agent host:

  err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to
{md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1:
Server hostname 'ncqd-isghub01' did not match server certificate; expected
one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com

  This is the hosts file entry on the agent:

  10.6.176.21 ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet

  I did have certificates for the master (ncqd-isghub01) but following
instructions provided by others for addressing them, I removed them:

  [root@ncqd-isghub01 ssl]# puppet cert clean
ncqd-isghub01.nott.ime.reuters.com

Notice: Revoked certificate with serial 5

Notice: Removing file Puppet::SSL::Certificate
ncqd-isghub01.nott.ime.reuters.com at
'/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem'

Notice: Removing file Puppet::SSL::Certificate
ncqd-isghub01.nott.ime.reuters.com at
'/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem'

Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.com
at '/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem'

[root@ncqd-isghub01 ssl]#

  At this point I realised that on the master host I had the wrong IP
address for itself (it has recently been relocated), so I corrected that
and for safety's sake cleaned out /var/lib/puppet/ssl. I then did the
following:

* **Master as agent:*

[root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test

Info: Caching certificate for ca

Info: Creating a new SSL certificate request for
ncqd-isghub01.nott.ime.reuters.com

Info: Certificate Request fingerprint (SHA256):
BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D

* **Master as master:*

[root@ncqd-isghub01 ssl]# puppet cert list

   "ncqd-isghub01.nott.ime.reuters.com" (SHA256)
BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D

[root@ncqd-isghub01 ssl]# puppet cert sign
ncqd-isghub01.nott.ime.reuters.com

Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com

Notice: Removing file Puppet::SSL::CertificateRequest
ncqd-isghub01.nott.ime.reuters.com at
'/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem'

[root@ncqd-isghub01 ssl]#

* **Master as agent:*

Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com

*Warning: Unable to fetch my node definition, but the agent run will
continue:*

[Not sure why this is reported – it’s defined in
/etc/puppet/manifest/nodes.pp and site.pp has import “nodes” but it
appears not to be relevant]

Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com]

Info: Retrieving plugin

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [certificate signature
failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata
for puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com]

Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com]

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

[root@ncqd-isghub01 ssl]#

Now why would it be unable to verify the certificate it’s just signed?

I then tried using my normal test agent, expecting the certificate request
to be generated anew, as I’d blitzed it earlier:

*Master as agent:*

[root@ncqd-isghub01 ssl]# puppet cert list --all

+ "ncqd-isghub01.nott.ime.reuters.com" (SHA256)
1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD

[root@ncqd-isghub01 ssl]#

*Normal agent:*

[11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test

info: Retrieving plugin

info: Caching catalog for ntm-igdev02.nott.ime.reuters.com

info: Applying configuration version '1370523314'

notice: /Stage[main]/Testfiles/File[/tmp/test1]/content:

--- /tmp/test1 Tue Jun 4 10:38:59 2013

+++ /tmp/puppet-file20130606-25892-1g9ifbr-0 Thu Jun 6 14:18:34 2013

@@ -1,0 +1,1 @@

+this is file test1

err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to
{md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1:
Server hostname 'ncqd-isghub01' did not match server certificate; expected
one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com

notice: /Stage[main]/Testfiles/File[/tmp/test2]/content:

--- /tmp/test2 Tue Jun 4 10:38:59 2013

+++ /tmp/puppet-file20130606-25892-1xfiqif-0 Thu Jun 6 14:18:37 2013

@@ -1,0 +1,1 @@

+this is file test2

err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to
{md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2:
Server hostname 'ncqd-isghub01' did not match server certificate; expected
one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com

notice: Finished catalog run in 6.33 seconds

[11674](root@ntm-igdev02)/etc/puppet:

So as far as the real agent is concerned, I'm back where I started and the
questions I have are:

1. Why is a new certificate request not generated? I still only have the
one for the master.

2. Why doesn't the master recognise its own certificate?

3. What is the problem with the normal agent's complaint about the master's
certificate?

Any assistance would be gratefully received! Thanks.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 6, '13 at 2:48p
activeJun 6, '13 at 2:48p
posts1
users1
websitepuppetlabs.com

1 user in discussion

Andthepharaohs: 1 post

People

Translate

site design / logo © 2022 Grokbase