Issue #21869 has been updated by Ilkka Tengvall.
Also, I disabled se linux to make sure it's not that ruining this.
If I copy the ca cert manually, I end up to this:
<pre>
Info: Retrieving plugin
Debug: /File[/var/lib/puppet/lib]/seluser: Found seluser default 'system_u' for
/var/lib/puppet/lib
Debug: /File[/var/lib/puppet/lib]/selrole: Found selrole default 'object_r' for
/var/lib/puppet/lib
Debug: /File[/var/lib/puppet/lib]/seltype: Found seltype default
'puppet_var_lib_t' for /var/lib/puppet/lib
Debug: /File[/var/lib/puppet/lib]/selrange: Found selrange default 's0' for
/var/lib/puppet/lib
Debug: file_metadata supports formats: b64_zlib_yaml pson raw yaml; using pson
Debug: Using cached certificate for ca
Debug: Using cached certificate for hattara.taivaalla.pilvi
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server
session ticket A: tlsv1 alert unknown ca
Debug: file_metadata supports formats: b64_zlib_yaml pson raw yaml; using pson
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca Could
not retrieve file metadata for puppet://ospp-float2.hard.ware.fi/plugins:
SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1
alert unknown ca
Debug: Finishing transaction 69911269738900
Debug: node supports formats: b64_zlib_yaml pson raw yaml; using pson
Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: tlsv1 alert unknown ca
Debug: report supports formats: b64_zlib_yaml pson raw yaml; using pson
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: tlsv1 alert unknown ca
</pre>
And the master log has correspondingly this:
<pre>
[2013-07-19 15:25:43] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1
errno=0 state=SSLv3 read client certificate B: no certificate returned
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:34:in
`accept'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:34:in
`listen'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `call'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:32:in
`listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in
`initialize'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `new'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:28:in
`synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:28:in
`listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:92:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:104:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:137:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:215:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:165:in
`run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:456:in `plugin_hook'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:504:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:364:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:132:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:86:in `execute'
/usr/bin/puppet:4
</pre>
rpm -q ruby
ruby-1.8.7.352-10.el6_4.x86_64
----------------------------------------
Bug #21869: another "Error: Could not request certificate: stack level too deep"
https://projects.puppetlabs.com/issues/21869#change-95155
* Author: Ilkka Tengvall
* Status: Unreviewed
* Priority: Normal
* Assignee:
* Category:
* Target version:
* Affected Puppet version: 3.2.3
* Keywords:
* Branch:
----------------------------------------
There seems to others like this bug, but they are closed already and this still
happens for me. In short:
<pre>puppet agent -v -t -d|tee /home/ec2-user/perror.log
<bunch of debug log attached separately>
Error: Could not request certificate: stack level too deep
Exiting; failed to retrieve certificate and waitforcert is disabled
</pre>
puppet is from puppetlabs repos yesterday:
<pre>[root@puppet-client puppet]# rpm -q puppet
puppet-3.2.3-1.el6.noarch
[root@puppetmaster puppet-etc]# rpm -q puppet-server
puppet-server-3.2.3-1.el6.noarch
</pre>
I am trying to create a generic machine cert for virtual machines built by
Jenkins job. I want the machines with the given cert to be able to register to
puppet-master automatically, and assing a profile for themselves. I was
following this guide: https://gist.github.com/ahpook/1182243.
The OS underneath the both puppet agent and master is RHEL 6.4. I attach the
long debug log coming from the command above. I have both the master and the
client in the cloud.
! 1. I setup the master with certname with public ip name separate to it's
cloud private hostname.
<pre>[master]
node_name = facter
certname = ospp-float2.hard.ware.fi
</pre>
! 2. and create the keys for the client
<pre>
puppet cert --generate hattara.taivaalla.pilvi
</pre>
! 3. copy them into place
<pre>
# private
master:$ssldir/private_keys/hattara.taivaalla.pilvi.pem ->
client:$ssldir/private_keys/hattara.taivaalla.pilvi.pem
# public
master:$ssldir/ca/signed/hattara.taivaalla.pilvi.pem ->
client:$ssldir/certs/hattara.taivaalla.pilvi.pem
</pre>
! 4. set the generic cert name for the client
<pre>
[agent]
# let's get assign the node name from facter
# and let the fact be fqdn atm, later PaaS profile
# from /etc/cybercom-release.yaml
certname = hattara.taivaalla.pilvi
node_name = facter
node_name_fact = fqdn
server = ospp-float2.hard.ware.fi
</pre>
! 5. start puppet master
<pre>service puppetmaster restart</pre>
! 6. try the first command. The debug output is attached.
<pre>puppet agent -v -t -d|tee /home/ec2-user/perror.log
<bunch of debug log attached separately>
Error: Could not request certificate: stack level too deep
Exiting; failed to retrieve certificate and waitforcert is disabled
</pre>
And I see from master http log that the client tries to retrieve the cert.
If I retry the command, it behaves differently, some locking problem
<pre>
Error: Could not request certificate: Thread(#<Thread:0x7f91023bc370 run>) not
locked.
Exiting; failed to retrieve certificate and waitforcert is disabled
</pre>
I can retrieve the cert manually by using curl just fine.
<pre>
curl --insecure -H 'Accept: s'
https://ospp-float2.hard.ware.fi:8140/production/certificate/ca
</pre>
That's about it. Tried all different things for hours today. I suppose it's a
bug.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
