Apologies for the late reply but do you know how to re-create the certs for PuppetDB ? Is there a specific PuppetDB group who may be able to answer this ? Thanks very much.
On Wednesday, 3 October 2018 19:04:26 UTC+1, Maggie Dreyer wrote: > > If you regenerated your CA as part of fixing the issues with the > master/agent connection, did you also regenerate the certificates for > PuppetDB? Not having really any experience with PuppetDB, I could see thi > error being cause by still using certificates issued by the old certificate > authority. > > On Wed, Oct 3, 2018 at 10:58 AM Andy Hall <andyjo...@gmail.com > <javascript:>> wrote: > >> Just fixed an issue with the puppetserver ca after a 5.x to 6.x upgrade >> (see post "PUPPET 6.0 : CSR from master does not match the agent public >> key" for more details) but now experience the following issue with PuppetDB >> (maybe a problem with the Java KeyStore ?): >> >> AGENT: >> >> # puppet agent --test >> >> Warning: Unable to fetch my node definition, but the agent run will >> continue: >> Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for >> andy-puppet6-test.london.company.com: Failed to find facts from PuppetDB >> at puppet:8140: Failed to execute '/pdb/query/v4/nodes/ >> andy-puppet6-test.london.company.com/facts' on at least 1 of the >> following 'server_urls': https://ldn1-puppet5.london.company.com:8081 >> >> Info: Retrieving pluginfacts >> Info: Retrieving plugin >> Info: Retrieving locales >> Info: Loading facts >> >> Error: Could not retrieve catalog from remote server: Error 500 on >> SERVER: Server Error: Failed to execute >> '/pdb/cmd/v1?checksum=53837e24e8b91d10fc3a81a657b83258c0ab3f8f&version=5&certname= >> andy-puppet6-test.london.company.com&command=replace_facts&producer-timestamp=1538588583' >> >> on at least 1 of the following 'server_urls': >> https://ldn1-puppet5.london.company.com:8081 >> >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run >> >> MASTER: >> >> ==> /var/log/puppetlabs/puppetserver/puppetserver.log <== >> 2018-10-03T18:49:26.860+01:00 ERROR [qtp1255475413-70] >> [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request >> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) >> at >> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) >> at >> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) >> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) >> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >> at >> org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) >> at >> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) >> at >> org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) >> at >> org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) >> at >> org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) >> at >> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) >> at >> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) >> at >> org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) >> at >> org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) >> at >> org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) >> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) >> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) >> at java.security.AccessController.doPrivileged(Native Method) >> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) >> at >> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) >> at >> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) >> ... 9 common frames omitted >> Caused by: sun.security.validator.ValidatorException: PKIX path >> validation failed: java.security.cert.CertPathValidatorException: Path does >> not chain with any of the trust anchors >> at >> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) >> at sun.security.validator.Validator.validate(Validator.java:262) >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) >> ... 17 common frames omitted >> Caused by: java.security.cert.CertPathValidatorException: Path does not >> chain with any of the trust anchors >> at >> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:154) >> at >> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) >> at >> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) >> at >> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) >> ... 23 common frames omitted >> 2018-10-03T18:49:26.873+01:00 WARN [qtp1255475413-70] [puppetserver] >> Puppet Error connecting to ldn1-puppet5.london.company.com on 8081 at >> route /pdb/query/v4/nodes/andy-puppet6-test.london.company.com/facts, >> error message received was 'Error executing http request'. Failing over to >> the next PuppetDB server_url in the 'server_urls' list >> 2018-10-03T18:49:26.881+01:00 ERROR [qtp1255475413-70] [puppetserver] >> Puppet Server Error: Could not retrieve facts for >> andy-puppet6-test.london.company.com: Failed to find facts from PuppetDB >> at puppet:8140: Failed to execute '/pdb/query/v4/nodes/ >> andy-puppet6-test.london.company.com/facts' on at least 1 of the >> following 'server_urls': https://ldn1-puppet5.london.company.com:8081 >> >> Seems to be an SSL issue with PuppetDB ? Maybe the Java KeyStore ? Please >> note this is not a simple TCP problem - the connection from agent to master >> on port 8081 is fine. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/10f93c46-6fbb-484f-9a60-a3ebbf0116b7%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/10f93c46-6fbb-484f-9a60-a3ebbf0116b7%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2940e5c5-065b-497a-a982-cf31ac81e55c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
