Also, the "puppetserver ca list" returns errors. Excerpt: /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect' from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:948:in `connect' from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:887:in `do_start' from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:876:in `start' from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:608:in `start'
On Thu, Sep 29, 2022 at 7:05 PM JB SysAdmin <jb0012...@gmail.com> wrote: > Thanks so much for answering! I certainly restarted puppet and puppetdb > services (using systemctl). Restarted the node, as well. The issue is that > something is still missing/conflicting on the master. Running puppet agent > on the master itself fails. Indeed, today, as this was linked with Foreman > 1.19, I re-traced using this reference: > https://alexshepherd.me/posts/changing-foremans-ssl-certificate/ > > * "server_ssl_cert" > (/etc/foreman-installer/scenarios.d/foreman-answers.yaml) does already > match SSLCertificateFile (/etc/httpd/conf.d/05-foreman-ssl.conf) > * "server_ssl_chain" from above is one of the files generated from the > recent puppet action (puppetserver ca generate --config) It does match > "SSLCertificateChainFile" on the latter SSL conf. > * "server_ssl_key" > (/etc/foreman-installer/scenarios.d/foreman-answers.yaml) already matches > SSLCertificateKeyFile (/etc/httpd/conf.d/05-foreman-ssl.conf) > * "puppet_ssl_ca" /etc/puppetlabs/puppet/ssl/certs/ca.pem; that matches > "server_ssl_chain" /etc/puppetlabs/puppet/ssl/certs/ca.pem > But it does NOT match "server_ssl_chain_filepath" > (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem) I don't know if that matters; It > is present in the foreman-answers.yaml. > > There are newly generated items in all those places, but I can't figure > out what remains broken... > > On Wednesday, September 28, 2022 at 8:03:52 PM UTC-4 daf...@gmail.com > wrote: > >> On 28.09.22 23:52, JB SysAdmin wrote: >> > I followed a combination of what I saw: >> > >> > On puppet master: >> > >> > rm -rf /etc/puppetlabs/puppetdb/ssl >> > puppetserver ca generate --config /etc/puppetlabs/puppet/puppet.conf >> > puppet master --no-daemonize --verbose >> > puppet resource service puppetserver ensure=running >> > puppet resource service puppet ensure=running >> >> From your descriptions it doesn't look like you actually restarted >> Puppetserver after regenerating the CA, so maybe try that first: >> "systemctl restart puppetserver" (as root). >> >> > /opt/puppetlabs/server/apps/puppetdb/bin/puppetdb ssl-setup -f >> > puppet resource service puppetdb ensure=running >> >> Similarly restart PuppetDB, "systemctl restart puppetdb". >> >> The "puppet resource ... ensure=running" commands don't restart any >> service. They would just start a service if it wasn't running. >> >> > But on the master itself, and certainly a separate client/agent, there >> > are any number or errors. >> >> Not sure if you did that already, but when regenerating the CA, as you >> have done, you'll need to issue new certificates to all Puppet agent >> nodes. >> >> On a Puppet agent node: >> >> rm -rf /etc/puppetlabs/puppet/ssl >> puppet agent -t --waitforcert 30 >> >> On the Puppetmaster (= Puppet CA server): >> >> puppetserver ca list >> puppetserver ca sign --certname <NODE_CERTNAME> >> >> Do that for all Puppet agent nodes. >> >> HTH, >> >> Andreas >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/LNbSFcwUq3g/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e00f30b4-bb97-42df-ada6-f852361e303dn%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/e00f30b4-bb97-42df-ada6-f852361e303dn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAPKpH7QmENmevuvz9Zg%3Dh%3Di34r_dGv3iSJ9ofQX0rhNaM8FmMA%40mail.gmail.com.