RE: [Puppet Users] Re: "SSLv3 read server certificate B: certificate verify failed." -- Not time related

Tue, 20 Mar 2012 06:52:49 -0700 

Take a look at bug 8858 and 9084. But have some suggested "fixes" to see if you 
are hitting them. If you are running the client and master on the same server 
thought (and both are using the same cert) this may not be the case.
 


________________________________

        From: puppet-users@googlegroups.com 
[mailto:puppet-users@googlegroups.com] On Behalf Of glm
        Sent: Monday, March 19, 2012 6:39 PM
        To: puppet-users@googlegroups.com
        Subject: [Puppet Users] Re: "SSLv3 read server certificate B: 
certificate verify failed." -- Not time related
        
        
        Hi, 

        I am having a similar problem but I am trying to run puppetd -t on the 
server as a client of itself.  This works on our other puppet master.  Like the 
poster above, I have cleared /var/lib/puppet/ssl a dozen times and time cannot 
be an issue because client and server are the same machine.  I have tried this 
with both puppetmasterd and with the apache passenger module, which is what we 
have running on our other puppet master, which works.
        I am using puppet versions
        puppet-2.7.9-2.el6.noarch
        puppet-server-2.7.9-2.el6.noarch

        on top of ruby versions:
        ruby-1.8.7.352-4.el6_2.x86_64
        rubygems-1.3.7-1.el6.noarch
        ruby-libs-1.8.7.352-4.el6_2.x86_64

        All of this on CentOS 6.

        Any ideas?

        Thanks.

        Glen

        On Tuesday, February 21, 2012 4:56:13 PM UTC-8, Jon wrote: 

                I recently built, added to puppet and then nuked a server.  
Before I re-added the machine (after I rebuilt it, with the same name), I went 
to the puppet server and ran `puppet cert revoke dev-8.company.com` and `puppet 
cert clean dev-8.company.com`.  Now when puppet runs on ANY server in my 
environment, they get the following error:
                


                        info: Caching certificate for dev-8.company.com
                        err: Could not retrieve catalog from remote server: 
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed.  This is often because the time is out of sync on 
the server or client
                        warning: Not using cache on failed catalog
                        err: Could not retrieve catalog; skipping run
                        err: Could not send report: SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This 
is often because the time is out of sync on the server or client


                Now I know for a fact that it isn't a time issue because the 
puppet server is on NTP as are the clients.  The new machine is also within 1-2 
seconds of server time.  All of the clients are configured to run (via Cron) 
`/usr/sbin/puppetd --onetime --no-daemonize --logdest syslog --server 
puppet.company.com`.  The server is named puppet-1.company.com but puppet. is a 
valid cname.  I've tried rebooting the puppet server, I've tried upgrading it, 
just about anything I can think of.  

                Any help would be greatly appreciated.
                -Jon

                PS Both clients and server are running Ubuntu:


                        root@puppet-1:/etc/puppet# cat /etc/lsb-release
                        DISTRIB_ID=Ubuntu
                        DISTRIB_RELEASE=11.10
                        DISTRIB_CODENAME=oneiric
                        DISTRIB_DESCRIPTION="Ubuntu 11.10"

                        root@puppet-1:/etc/puppet# uname -a
                        Linux puppet-1 3.0.0-16-server #28-Ubuntu SMP Fri Jan 
27 18:03:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux



                -- 
                Jon 
                [[User:ShakataGaNai]] / KJ6FNQ
                http://snowulf.com/
                http://www.linkedin.com/in/shakataganai 
<http://www.linkedin.com/in/shakataganai>  <http://twitter.com/shakataganai> 
                
                

                -- 
        You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
        To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/we1mj3rXSUcJ.
        To post to this group, send email to puppet-users@googlegroups.com.
        To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
        For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.
        




This email communication and any files transmitted with it may contain
confidential and or proprietary information and is provided for the use of the
intended recipient only. Any review, retransmission or dissemination of this
information by anyone other than the intended recipient is prohibited. If you
receive this email in error, please contact the sender and delete this
communication and any copies immediately. Thank you.

http://www.encana.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to