Furthermore I can verify the cert client side w/ the ca:
root::wave { 10:34:20 Fri Mar 02 }
~-> openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/wave.pem
/var/lib/puppet/ssl/certs/wave.pem: OK
?
On Fri, Mar 2, 2012 at 10:14 AM, Matthew Nicholson
<matthew.a.nichol...@gmail.com> wrote:
> So,I made a stupid move this morning I'm trying to correct. While
> trying to getthe puppet master to config itself, i moved its certs
> sideways, and regenerated. Durring this time i did a ntp sync and
> found i was about 2 seconds off. This little test failed and I
> decided I had a better way to do it(manual puppet apply's are safer
> for me for this.. currently), so I put the "original" certs back in
> place, and restarted. Existing clients are fine since they have signed
> certs, however new clients (i cleaned a cert to "force' a new client)
> cannot get their cert verified. The clients report time may be off,
> but it is 00% in sync. Normally we autosign but I've disabled that for
> now and its made no difference. the client cert comes in fine, and I
> can sign it just fine, but its the verify on the client end that
> fails:
>
> root::wave { 10:07:25 Fri Mar 02 }
> ~-> puppet agent -t
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for wave.
> info: Retrieving plugin
> info: Caching certificate_revocation_list for ca
> err: /File[/var/lib/puppet/lib]: Failed to generate additional
> resources using 'eval_generate: certificate verify failed. This is
> often because the time is out of sync on the server or client
> err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
> verify failed. This is often because the time is out of sync on the
> server or client Could not retrieve file metadata for
> puppet://provisions/plugins: certificate verify failed. This is often
> because the time is out of sync on the server or client
> info: Loading facts in vlan
> <SNIP>
> err: Could not retrieve catalog from remote server: certificate verify
> failed. This is often because the time is out of sync on the server
> or client
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: certificate verify failed. This is often
> because the time is out of sync on the server or client
>
>
> Any thoughts/help? I'd rather not start over and regenerate a
> clean/new master cert, and have to clear client certs on everything
> (about 2k systems)...
>
> Help?
> --
> Matthew Nicholson
--
Matthew Nicholson
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
