Great! I remember glancing at your nametag (A fellow -ski!) Thanks for the pointer. However, it still isn't working.
root@agent2:~ # puppet agent --test --waitforcert 30 Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Ah! I figured this out. So, my Puppet Enterprise instance had two names (puppetmaster and another name). This arcane error simply happened because my agent was connecting to the server with one name, and the server presented a certificate with a different name. Perhaps this was with a problem with another certificate in the certificate chain. Simple problem, but the error was not at all clear, and was unlike any openssl error that I've run into in the past. -= Stefan On Wed, Aug 21, 2013 at 5:35 PM, Peter Bukowinski <pmb...@gmail.com> wrote: > Stefan, > > If you do not have cert auto-signing enabled, the first time an agent > connects to the master, you should use the -w option, e.g.: > > puppet agent -t -w 30 > > This will tell the agent to wait for the master (you) to sign the cert > request. Once that's done, the rest of the puppet run should kick off. > > (I'm at PuppetConf, too.) > > -- Peter (from phone) > > On Aug 21, 2013, at 5:23 PM, Stefan Lasiewski <ste...@stefanco.com> wrote: > > I am at Puppetconf today. I just set up a new VM running a brand new > version of FreeBSD 9.2 . I created my Puppetmaster during a Puppet course > today, using a VM from puppetlabs.com . > > When I attempt to acquire a certificate from the Puppetmaster, I get a > strange error. The agent & master can both ping each other, and their > system clocks are within seconds of each other (but different timezones, > which shouldn't matter). > > The agent can ping and connect to the master, but the connection fails > during the SSL connection. Any idea what is going on? > > From the agent: > > root@agent2:~ # date > Wed Aug 21 17:13:03 PDT 2013 > root@agent2:~ # puppet --version > 3.2.3 > > root@agent2:~ # ping puppetmaster > PING puppetmaster.puppetlabs.vm (172.16.68.129): 56 data bytes > 64 bytes from 172.16.68.129: icmp_seq=0 ttl=64 time=0.297 ms > ... > root@agent2:~ # puppet agent --test > Error: Could not request certificate: SSL_connect returned=1 errno=0 > state=SSLv2/v3 read server hello A: (null) > Exiting; failed to retrieve certificate and waitforcert is disabled > > And looking from the Puppet master side: > > [root@puppetmaster ~]# date > Thu Aug 22 00:13:01 UTC 2013 > [root@stefan ~]# puppet --version > 3.2.2 (Puppet Enterprise 3.0.0) > [root@puppetmaster ~]# ping agent2 > PING agent2.puppetlabs.vm (172.16.68.131) 56(84) bytes of data. > 64 bytes from agent2.puppetlabs.vm (172.16.68.131): icmp_seq=1 ttl=64 > time=1.84 ms > > I have a third, brand new VM running CentOS 6.4, and it was able to > request a certificate without any problems. > > -= Stefan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/I5SjQnn8sPo/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
