Restarting the puppetserver seems to sort the certificate mismatch. Note
that my host's A record is loire.example.com with CNAME puppet.example.com.
In /etc/puppet/puppet.conf, I refer to the host as puppet:
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
dns_alt_names = puppet.example.com
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
server = puppet.example.com
(Recall that s/example/mydomain/g.) The problem them transforms into
certificate verification failure.
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed: [unable to get local issuer
certificate for /CN=loire.example.com]
Comparing certificates confirms they aren't quite the same. Recall that my
master and agent are running on the same host: I want puppet to handle
configuration for the master!
[T] jeff@loire:~ $ openssl s_client -connect loire.example.com:8140
-showcerts > /tmp/cert
[T] jeff@loire:~ $ sudo openssl verify -CAfile
/var/lib/puppet/ssl/certs/ca.pem /tmp/cert
/tmp/cert: CN = loire.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
2,[T] jeff@loire:~ $
I tried removing all the certificates I could find and restarting the
server.
[T] jeff@loire:~ $ sudo find /var/lib/puppet/ssl -name '*.pem' -delete
[T] jeff@loire:~ $ sudo rm -rf /etc/puppet/ssl
[T] jeff@loire:~ $ sudo puppet cert list --all
Notice: Signed certificate request for ca
[T] jeff@loire:~ $ sudo puppet cert list --all
[T] jeff@loire:~ $
(I've never been clear on why certificate lists sometimes become empty on a
second request.) But now on restarting the server, I see this error:
java.lang.IllegalArgumentException: Expected a KeyPair or PrivateKey,
got org.bouncycastle.openssl.PEMEncryptedKeyPair@315e8e4
It looks like I forgot some certificate somewhere. O, how I would have
liked a long entry that says "I see that /path/to/A and /path/to/B are not
the same."
I'm temporarily out of ideas and search queries. If anyone can shed any
light, I'd much appreciate it. If not, this all at least serves to
document for those who search these things later.
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255 <-- only when I'm in the UK
http://ml-week.com/ <http://www.ml-week.com/>* prochaine edition, 2016*
http://jeff.purple.com/
http://blog.purple.com/jeff/
On 17 February 2016 at 18:12, Jeff Abrahamson <[email protected]> wrote:
> Aha, I can answer *half* of my own question after another hour of work.
> The issue was the certname field in the config. Removing it makes that all
> work. I also removed the short hostname from dns_alt_names, since it
> seemed unnecessary. That leaves me only with the famous certificate
> mismatch problem.
>
> ...
> Debug: Finishing transaction 5407140
> Info: Creating a new SSL key for loire.example.com
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Debug: Creating new connection for https://puppet.example.com:8140
> Info: Caching certificate for loire.example.com
> Error: Could not request certificate: The certificate retrieved from the
> master does not match the agent's private key.
> Certificate fingerprint:
> EF:0B:DB:FD:8F:18:AB:DC:1F:82:BF:8B:A0:92:CB:D3:4F:0D:72:DC:F2:23:B8:A0:74:76:33:56:6E:32:1F:50
> To fix this, remove the certificate from both the master and the agent and
> then start a puppet run, which will automatically regenerate a certficate.
> On the master:
> puppet cert clean loire.example.com
> On the agent:
> 1a. On most platforms: find /var/lib/puppet/ssl -name
> loire.example.com.pem -delete
> 1b. On Windows: del "/var/lib/puppet/ssl/loire.example.com.pem" /f
> 2. puppet agent -t
>
> Exiting; failed to retrieve certificate and waitforcert is disabled
> 1,[T] jeff@loire:~ $
>
>
> Jeff Abrahamson
> +33 6 24 40 01 57
> +44 7920 594 255 <-- only when I'm in the UK
> http://ml-week.com/ <http://www.ml-week.com/>* prochaine edition,
> 2016*
>
> http://jeff.purple.com/
> http://blog.purple.com/jeff/
>
> On 17 February 2016 at 16:58, Jeff Abrahamson <[email protected]> wrote:
>
>> I set up a puppetserver. It's, well, not generating errors outright.
>>
>> On the same host, I want to run a puppet agent. But the agent doesn't
>> seem to want to use the FQDN of the host, and so it fails to connect.
>>
>> [T] jeff@loire:~ $ puppet agent --debug --test
>> ...
>> Debug: Finishing transaction 27923380
>> Debug: Creating new connection for *https://puppet:8140
>> <https://puppet:8140>*
>> Error: Could not request certificate: getaddrinfo: Name or service not
>> known
>> Exiting; failed to retrieve certificate and waitforcert is disabled
>> 1,[T] jeff@loire:~ $
>> 1,[T] jeff@loire:~ $ cat /etc/puppet/puppet.conf
>> [main]
>> logdir=/var/log/puppet
>> vardir=/var/lib/puppet
>> ssldir=/var/lib/puppet/ssl
>> rundir=/var/run/puppet
>> factpath=$vardir/lib/facter
>> certname = puppet
>> dns_alt_names = puppet,puppet.example.com
>>
>> [master]
>> # These are needed when the puppetmaster is run by passenger
>> # and can safely be removed if webrick is used.
>> ssl_client_header = SSL_CLIENT_S_DN
>> ssl_client_verify_header = SSL_CLIENT_VERIFY
>>
>> [agent]
>> server = puppet.example.com
>> [T] jeff@loire:~ $ cat /etc/hosts
>> 127.0.0.1 localhost
>> 127.0.1.1 ubuntu
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> 139.162.147.68 loire.example.com loire
>> [T] jeff@loire:~ $ netstat -a | grep 8140
>> tcp6 0 0 [::]:8140 [::]:*
>> LISTEN
>> [T] jeff@loire:~ $
>>
>>
>> Of course, s/example/my-real-domain-name/g. Note that loire is the
>> host's A record, there's a CNAME called puppet. (Note that telnetting
>> to loire.example.com 8140 connects: the tcp6 is a netstat artefact as
>> far as I know.)
>>
>> Reflection, poking, and googling are drawing blanks for me. Any
>> suggestions ?
>>
>>
>> Jeff Abrahamson
>> +33 6 24 40 01 57
>> +44 7920 594 255 <-- only when I'm in the UK
>> http://ml-week.com/ <http://www.ml-week.com/>* prochaine edition,
>> 2016*
>>
>> http://jeff.purple.com/
>> http://blog.purple.com/jeff/
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAM4Y7zwWrnD4b2-aCxK%2BKK%3DBsxvW7yxejDEm_V6QagZZoakzCQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
