Hi,
I have setup puppet (2.7.5) on 2 different machines on ec2.
Puppet master config
1. Ruby - 1.9.3
2. OS - Amazon linux image
3. runs from root user
Puppet agent config
1. Ruby - 1.9.3
2. OS - centos
3. runs from root user
When i run the agent, it throws an error "unknown ca" (can been seen
in tcpdump/server logs) and closes the SSL connection immediately. I
tried following things but no luck...
1>I tried copying the server 'certs\ca.pem' file on the agent to 'certs
\ca.pem' and 'ca\ca_crt.pem' (i don't know the difference).
2>I created a hash symbolic as suggested here (http://
projects.puppetlabs.com/issues/9084)..i thought may be openssl lib is
not able to validate.
3> I ran this command as well openssl s_client -connect
ip-10-172-42-217.us-west-1.compute.internal:8140 -showcerts -state -
verify 2 (output is at the end of this message)
No luck.
I have checked that there is no time difference b/w agent and server.
I have following questions
1. What is difference 'localcertca' and 'cacert' setting in the
puppet.conf?
2. At the time of fresh install of puppet, how does agent validates
server certificate (since agent doesn't have ca cert of master)? I am
wondering this problem should come every time during fresh install
since agent doesn't not have any certificates. But installation docs
doesn't say anything about setting up ssl cert so i presume it should
work with copying server ca cert. But how does agent validates?
I have struggling with this problem from last 2 days..tried all stuff
but no luck. Looking for suggestions..
Let me know if you need more information..
Thanks,
Sumit
Open SSL output..
verify depth is 2
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /CN=Puppet CA: ip-10-172-42-217.us-west-1.compute.internal
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /CN=Puppet CA: ip-10-172-42-217.us-west-1.compute.internal
verify return:1
depth=0 /CN=ip-10-172-42-217.us-west-1.compute.internal
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/CN=ip-10-172-42-217.us-west-1.compute.internal
i:/CN=Puppet CA: ip-10-172-42-217.us-west-1.compute.internal
-----BEGIN CERTIFICATE-----
MIIC8zCCAlygAwIBAgIBBDANBgkqhkiG9w0BAQUFADBBMT8wPQYDVQQDDDZQdXBw
ZXQgQ0E6IGlwLTEwLTE3Mi00Mi0yMTcudXMtd2VzdC0xLmNvbXB1dGUuaW50ZXJu
YWwwHhcNMTExMDA2MjM0MjIzWhcNMTYxMDA0MjM0MjIzWjA2MTQwMgYDVQQDDCtp
cC0xMC0xNzItNDItMjE3LnVzLXdlc3QtMS5jb21wdXRlLmludGVybmFsMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiI5b8wa0HbCAcdFOJX1sZOb0AHfbxv0IM
pZSSmiMIB/RreZo3BVu849o7VfckcSMt/Ajhm2qh5QUFSlkHDJjmf9fkeMonqIXf
sFINfKYY9d1t4SxWwoHGAsdSWhGWn2EmG+/BHm2DDx+rP0CfxlVJxLg48IzApMrc
BXvN08AmQwIDAQABo4IBBDCCAQAwOAYJYIZIAYb4QgENBCsWKVB1cHBldCBSdWJ5
L09wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFK0KtpPeGdqv2uKaQMFWoSqKWW5pMAsGA1UdDwQEAwIFoDAnBgNVHSUE
IDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEMGEGA1UdEQRaMFiCBnB1
cHBldIIraXAtMTAtMTcyLTQyLTIxNy51cy13ZXN0LTEuY29tcHV0ZS5pbnRlcm5h
bIIhcHVwcGV0LnVzLXdlc3QtMS5jb21wdXRlLmludGVybmFsMA0GCSqGSIb3DQEB
BQUAA4GBABi29RDxCvbL+5xwlvLp11R6SfmLLNmdby60b2JS7Sq03XhpcREosYHw
ZkwMyqa76DJgwlbVnfPTs/hmJSzg+J8IFcXo+dxqMx9XcFDCe2Y8bdyQ0axsMvXE
uf00R5hiYHkb/L26/bg0GmKgszf9GjGfN36b3MlO91/mCSTyArVI
-----END CERTIFICATE-----
1 s:/CN=Puppet CA: ip-10-172-42-217.us-west-1.compute.internal
i:/CN=Puppet CA: ip-10-172-42-217.us-west-1.compute.internal
-----BEGIN CERTIFICATE-----
MIICcTCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMT8wPQYDVQQDDDZQdXBw
ZXQgQ0E6IGlwLTEwLTE3Mi00Mi0yMTcudXMtd2VzdC0xLmNvbXB1dGUuaW50ZXJu
YWwwHhcNMTExMDA2MjAwMDA0WhcNMTYxMDA0MjAwMDA0WjBBMT8wPQYDVQQDDDZQ
dXBwZXQgQ0E6IGlwLTEwLTE3Mi00Mi0yMTcudXMtd2VzdC0xLmNvbXB1dGUuaW50
ZXJuYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGdufxRcl+vlOAPM9kI
rHsW53OUeqH1eyu7KedhfwBeUIPQB8m73O7dJIFvr0Hm956cnwtboJQJHFnnwJSV
8uIlNncJRqWMiTXwl9G/W4lg/3y8S/8rv/9DR5cg+In0evnaICIVCxqOGIervjM4
8X8qDI7eFBKibsQLc0xUq9hnAgMBAAGjeTB3MDgGCWCGSAGG+EIBDQQrFilQdXBw
ZXQgUnVieS9PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQ6U/Xm6NQ2CR5uX6OFoCs2BLeg3jALBgNVHQ8EBAMC
AQYwDQYJKoZIhvcNAQEFBQADgYEAYYL7tulcXbjfMyKO4nLKUkQrVByawnmGd1G1
SOQkpj6GIDA1SKe+I+QPRh4Fpn4/q0MLSm71SBl69lhGA4fc8zFFO/krZhdPnFs3
PZ40ljEncrDoiuvJO18kC0zVdx0ZMpWiQOPIFESiMA2SNaR9oNIt47WfmI+WTpjr
FVy9hck=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ip-10-172-42-217.us-west-1.compute.internal
issuer=/CN=Puppet CA: ip-10-172-42-217.us-west-1.compute.internal
---
No client certificate CA names sent
---
SSL handshake has read 1973 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
BAF1F2B192C59CBA1B90ABA8E3C71E4B72F22AA9C2F1F6D0CCDBC0B3C581CEC1
Session-ID-ctx:
Master-Key:
74CC9A1363F8872EE2B4F64CEA78BC1F37D3A257D7192D6BA0A6CE126B01105ADAD5FA729D42BCD9BFBB083F99F40C2A
Key-Arg : None
Krb5 Principal: None
Start Time: 1318385207
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
