So there is something wrong with the date of the certificate. When I do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | grep -A2 Validity", I get:
Validity Not Before: Dec 7 14:08:10 2010 GMT Not After : Dec 6 14:08:10 2015 GMT However, the current date of the client is Dec 8 which is well within the valid range. The date is also the same as master server. But when I change the date of the client to Dec 9, everything works fine and I don't get that certificate verify failed error anymore. This is baffling! Any idea how to fix this? Thanks! On Dec 6, 6:00 pm, Stefan Schulte <stefan.schu...@taunusstein.net> wrote: > On Mon, Dec 06, 2010 at 12:13:37PM -0800, Kikanny wrote: > > Whenever I try to connect to the master from the client, I get the > > following error: > > > Could not retrieve catalog from remote server: SSL_connect returned=1 > > errno=0 state=SSLv3 read server certificate B: certificate verify > > failed > > I can think of the following reasons: > * Client generated a new certificate after your master signed one. > * When you connect a new client it retrieves the masters certificate. > When you connect again, the certificate will be checked. If you > rebuild your puppetmaster, your client will not trust its new > certificate. > * You revoked your client's certificate > * You revoked the certificate of your master > > If this is your first attempt to use puppet, try a fresh restart: > * remove /etc/puppet/ssl and/or /var/lib/puppet/ssl on master and client > * puppet cert --list --all should be empty on master > * run puppet master --no-daemonize --verbose on master > * run puppet agent --server masters_hostname --test --waitforcert 15 on > client > * run puppet cert --list and puppet cert --sign on master > > If that does not work, you can check the subject of the certificates > because I think they have to match the hostname. You can do that with > "puppet cert --list" and "puppet cert --print <fqdn>" and on the client > "openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem" should work > > -Stefan > > application_pgp-signature_part > < 1KViewDownload -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
