Hi, I've looked in the archives and elsewhere but couldn't find a solution to the issue I'm having. I'm running puppet with an external CA that I manage myself (ca=false for puppetmasterd) puppetmasterd is behind nginx reverse proxy. On the client I'm getting:
root@web01:~# puppet agent --verbose --no-daemonize --onetime err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed notice: Using cached catalog err: Could not retrieve catalog; skipping run The puppetmaster's fqdn is excel.example.com and the SSL settings on the master shouldn't really matter since nginx is the SSL endpoint in this scenario. Could you have a look at the below (also available as http://pastie.org/1789339) and let me know if my config is sensible or if you can spot anything incorrect? Upon puppet agent's invocation, no private keys or CSRs are created which was my goal yet the verification fails. Below I've shown that the checksums for the certificates used by both the client and master are the same. Could you tell me (or point to a relevant explanation) what is being verified in this process? *** puppetmaster (excel): /etc/puppet/puppet.conf: [main] ca=false ssldir=/etc/ssl cadir=$ssldir publickeydir=$ssldir/public privatekeydir=$ssldir/private certdir=$ssldir/certs vardir=/var/lib/puppet localcacert = $certdir/ca-example.pem [agent] vardir = /var/lib/puppet logdir = /var/log/puppet templatedir = /var/lib/puppet/templates factpath = $vardir/lib/facter hostcert = $certdir/$certname.pem hostprivkey = $privatedir/$certname.pem hostpubkey = $publickeydir/$certname.pem [master] certname = puppet.example.com servertype = mongrel Relevant parts of /etc/nginx/sites-enabled/default: server { listen 8140; ssl on; ssl_verify_client on; ssl_session_timeout 5m; ssl_certificate /etc/ssl/certs/puppet.example.com.crt; ssl_certificate_key /etc/ssl/private/puppet.example.com.pem; ssl_client_certificate /etc/ssl/certs/ca-example.crt; #ssl_crl /etc/ssl/crl.pem; } SSL certs: excel:/etc# for i in `find /etc/ssl/ -name '*.pem'`; do md5sum $i; done 295340125c63ae9d64a87efc17135fec /etc/ssl/certs/ca-example.pem 7dbfce2a18002180a89df1853885273c /etc/ssl/certs/puppet.example.com.pem 6e33bd09dde9df47274a2ff1e06c1727 /etc/ssl/certs/web01.example.com.pem ce15583b70c297f1be3c07b6c2f9828a /etc/ssl/private/ca-example.pem f724911baa98c21291fe4eba4082266a /etc/ssl/private/puppet.example.com.pem a38699481a609f32fab4374b5e51f4b0 /etc/ssl/private/web01.example.com.pem 5c269566c26c1f268df08b8162e388aa /etc/ssl/crl.pem 39571a88f872fa33256692f7e97d266f /etc/ssl/public/ca-example.pem 2bf6ed6843c4e523c0e0c6f387fd792b /etc/ssl/public/puppet.example.com.pem 94ab66cac55b88c5e8bf02b8a774187d /etc/ssl/public/web01.example.com.pem *** puppet client (web01): /etc/puppet/puppet.conf: [main] ca=false ssldir=/etc/ssl cadir=$ssldir publickeydir=$ssldir/public #privatedir=$ssldir/private privatekeydir=$ssldir/private certdir=$ssldir/certs [agent] vardir = /var/lib/puppet logdir = /var/log/puppet templatedir = /var/lib/puppet/templates factpath = $vardir/lib/facter localcacert = $certdir/ca-example.pem hostprivkey = /etc/ssl/private/web01.example.com.pem hostpubkey = $publickeydir/$certname.pem SSL certs: root@web01:~# for i in `find /etc/ssl -name '*.pem'`; do md5sum $i; done a38699481a609f32fab4374b5e51f4b0 /etc/ssl/private/web01.example.com.pem 6e33bd09dde9df47274a2ff1e06c1727 /etc/ssl/certs/web01.example.com.pem 295340125c63ae9d64a87efc17135fec /etc/ssl/certs/ca-example.pem 94ab66cac55b88c5e8bf02b8a774187d /etc/ssl/public/web01.example.com.pem 39571a88f872fa33256692f7e97d266f /etc/ssl/public/ca-example.pem 5c269566c26c1f268df08b8162e388aa /etc/ssl/crl.pem excel:~# date; ssh 172.19.80.212 date Wed Apr 13 02:36:23 BST 2011 Wed Apr 13 02:36:23 BST 2011 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
