[Puppet Users] Certificate problems

[Andthepharaohs]

Hi all - my head hurts! ;-)

I am getting this error on my agent host:

err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from 
{md5}d41d8cd98f00b204e9800998ecf8427e to 
{md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: 
Server hostname 'ncqd-isghub01' did not match server certificate; expected 
one of ncqd-isghub01.nott.ime.reuters.com, 
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, 
DNS:puppet.nott.ime.reuters.com

This is the hosts file entry on the agent:

10.6.176.21     ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet

I did have certificates for the master (ncqd-isghub01) but following 
instructions provided by others for addressing them, I removed them:

[root@ncqd-isghub01 ssl]# puppet cert clean 
ncqd-isghub01.nott.ime.reuters.com

Notice: Revoked certificate with serial 5

Notice: Removing file Puppet::SSL::Certificate 
ncqd-isghub01.nott.ime.reuters.com at 
'/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem'

Notice: Removing file Puppet::SSL::Certificate 
ncqd-isghub01.nott.ime.reuters.com at 
'/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem'

Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.com 
at '/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem'

[root@ncqd-isghub01 ssl]# 

At this point I realised that on the master host I had the wrong IP address 
for itself (it had recently been relocated), so I corrected that and for 
safety's sake cleaned out /var/lib/puppet/ssl. I then did the following:

*Master as agent:*

[root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test

Info: Caching certificate for ca

Info: Creating a new SSL certificate request for 
ncqd-isghub01.nott.ime.reuters.com

Info: Certificate Request fingerprint (SHA256): 
BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D

*Master as master:*

[root@ncqd-isghub01 ssl]# puppet cert list

  "ncqd-isghub01.nott.ime.reuters.com" (SHA256) 
BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D

[root@ncqd-isghub01 ssl]# puppet cert sign 
ncqd-isghub01.nott.ime.reuters.com

Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com

Notice: Removing file Puppet::SSL::CertificateRequest 
ncqd-isghub01.nott.ime.reuters.com at 
'/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem'

[root@ncqd-isghub01 ssl]#

*Master as agent:*

Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com

*Warning: Unable to fetch my node definition, but the agent run will 
continue:*

[Not sure why this is reported – it’s defined in 
/etc/puppet/manifest/nodes.pp and site.pp has   import “nodes”   , but it 
appears not to be relevant]

Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [certificate signature failure for 
/CN=ncqd-isghub01.nott.ime.reuters.com]

Info: Retrieving plugin

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed: [certificate signature 
failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for 
/CN=ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata 
for puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for 
/CN=ncqd-isghub01.nott.ime.reuters.com]

Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for 
/CN=ncqd-isghub01.nott.ime.reuters.com]

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [certificate 
signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]

[root@ncqd-isghub01 ssl]#

Now why would it be unable to verify the certificate it’s just signed?

I then tried using my normal test agent, expecting the certificate request 
to be generated anew, as I’d blitzed it earlier:

*Master as agent:*

[root@ncqd-isghub01 ssl]# puppet cert list --all

+ "ncqd-isghub01.nott.ime.reuters.com" (SHA256) 
1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD

[root@ncqd-isghub01 ssl]#

*Normal agent:*

[11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test

info: Retrieving plugin

info: Caching catalog for ntm-igdev02.nott.ime.reuters.com

info: Applying configuration version '1370523314'

notice: /Stage[main]/Testfiles/File[/tmp/test1]/content: 

--- /tmp/test1  Tue Jun  4 10:38:59 2013

+++ /tmp/puppet-file20130606-25892-1g9ifbr-0    Thu Jun  6 14:18:34 2013

@@ -1,0 +1,1 @@

+this is file test1

err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from 
{md5}d41d8cd98f00b204e9800998ecf8427e to 
{md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: 
Server hostname 'ncqd-isghub01' did not match server certificate; expected 
one of ncqd-isghub01.nott.ime.reuters.com, 
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, 
DNS:puppet.nott.ime.reuters.com

notice: /Stage[main]/Testfiles/File[/tmp/test2]/content: 

--- /tmp/test2  Tue Jun  4 10:38:59 2013

+++ /tmp/puppet-file20130606-25892-1xfiqif-0    Thu Jun  6 14:18:37 2013

@@ -1,0 +1,1 @@

+this is file test2

 err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from 
{md5}d41d8cd98f00b204e9800998ecf8427e to 
{md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2: 
Server hostname 'ncqd-isghub01' did not match server certificate; expected 
one of ncqd-isghub01.nott.ime.reuters.com, 
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, 
DNS:puppet.nott.ime.reuters.com

notice: Finished catalog run in 6.33 seconds

[11674](root@ntm-igdev02)/etc/puppet:

 So as far as the real agent is concerned , I’m back where I started and I 
don’t see why a new certificate request wasn’t generated – I still only 
have the one for the master. Also, why doesn’t the master recognise its own 
certificate?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.