I have a couple of hosts which are having trouble talking to the puppet VIP:
puppetd[4554]: could not retrieve catalog from remote server: ssl_connect returned=1 errno=0 state=sslv3 read server certificate b: certificate verify failed puppetd[4554]: Not using cache on failed catalog puppetd[4554]: Could not retrieve catalog; skipping run puppetd[4961]: Retrieving plugin puppetd[4961]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed puppetd[4961]: (/File[/var/lib/puppet/lib]) Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I've gone through the usual SSL troubleshooting: the clocks are in sync, the client cert matches the one issued to it by the server (and is decodable by the private_key). When I use tshark to watch the ssl traffic, I see that the client is rejecting the server with the following ssl error. The connection never makes it to the back-end server, because the client hangs up. (10.1.1.1 is this client, 10.0.0.1 is the puppet vip) [root@db9 /var/lib/puppet/ssl]# tshark -n -i bond0 -d tcp.port==8140,ssl -s2000 'port 8140 and len > 60' 0.000000 10.1.1.1 -> 10.0.0.1 TCP 29718 > 8140 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1862094055 TSER=0 WS=7 0.001585 10.1.1.1 -> 10.0.0.1 SSLv2 Client Hello 0.001713 10.0.0.1 -> 10.1.1.1 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done 0.002208 10.1.1.1 -> 10.0.0.1 TLSv1 Alert (Level: Fatal, Description: Unknown CA) But openssl with the same cert and key that puppet is using passes verification and connects successfully: openssl s_client -connect puppet:8140 -cert certs/db9.domain.com.pem -key private_keys/db9.domain.com.pem -showcerts -state -verify 2 103.115871 10.1.1.1 -> 10.0.0.1 TCP 40758 > 8140 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1862197169 TSER=0 WS=7 103.116949 10.1.1.1 -> 10.0.0.1 SSLv2 Client Hello 103.117078 10.0.0.1 -> 10.1.1.1 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done 103.121057 10.1.1.1 -> 10.0.0.1 TLSv1 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 103.122162 10.0.0.1 -> 10.1.1.1 TLSv1 Change Cipher Spec, Encrypted Handshake Message Any thoughts on what could be causing this failure? I've seen quite a few odd ones (#3120, #4948 for example) but I've been gnawing at this one all day and haven't figured it out. -=Eric -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
