err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0
I've seen that when the clocks on the two hosts were out of sync. Even when I
brought the clocks back into sync I found that I had to regenerate the certs to
get it working.
master:
puppet cert --clean
(restart the puppetmaster)
agent:
(remove the certs)
(restart the agent and get the new cert request signed)
On Tue, Apr 24, 2012 at 10:49:00AM -0700, Eric Sorenson wrote:
> I suspect something is wrong with the underlying ssl libraries on the
> client with the problem. Does the output of 'rpm -qa | grep ssl' on the
> non-working client look the same as the client which works? How about
> ldd -r `rpm -ql ruby-libs | grep openssl.so`
> ?
>
> On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas B�trancourt wrote:
>
> Hi!
>
> I've installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a
> rpm supplied by [1]yum.puppetlabs.com.
>
> I've setup a apache2 vhost with mod_ssl and passenger. The server is
> configured to autosign the cert requests.
>
> The agent installed on the puppetmaster's server works fine. I've a
> second agent on a server which can sync with the server too. This server
> is on CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt.
> All virtual machines are configured to join a network bridge. Some
> iptables rules forward the traffic from the VM to the world (and
> vice-et-versa). The world can connect to the VM (i.e. SSH) and the VM
> can go to the world.
>
> On the hypervisor, i've a VM on CentOS 6.2 too. The DNS name 'puppet' is
> resolved by the hypervisor (which has a dnsmasq server). When i'm
> launching the puppet agent for the first time, a cert is generated by
> the server. The client has now the certs and key on its filesystem. But
> when the client is trying to sync with the server, i've got the
> following output :
> [root@machine-1 ~]# puppet agent --test
> info: Creating a new SSL key for [2]machine-1.test.betrancourt.net
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for ca
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> info: Creating a new SSL certificate request for
> [3]machine-1.test.betrancourt.net
> info: Certificate Request fingerprint (md5):
> BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for [4]machine-1.test.betrancourt.net
> err: Could not retrieve catalog from remote server: SSL_connect
> returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert
> protocol version
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
> read server session ticket A: tlsv1 alert protocol version
> [root@machine-1 ~]#
>
> The client cert is into the server cert db :
> [root@medion ~]# puppetca list --all | grep machine-1
> + [5]machine-1.test.betrancourt.net
> (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92)
>
> In puppet.conf, on the server, i've the following content:
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> pluginsync = true
>
> [master]
> autosign = true
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> My apache vhost is configured like this:
> <VirtualHost [6]192.168.1.60:8140>
> SSLEngine on
> SSLProtocol -all +SSLv3 +TLSv1
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
> SSLCertificateFile
> /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem
> SSLCertificateKeyFile
> /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem
> SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
> # CRL checking should be enabled; if you have problems with Apache
> complaining about the CRL, disable the next line
> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
>
> # The following client headers allow the same configuration to work
> with Pound.
> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> PassengerHighPerformance on
> PassengerStatThrottleRate 120
> PassengerUseGlobalQueue on
> RackAutoDetect Off
> RailsAutoDetect Off
> RackBaseURI /
>
> DocumentRoot /etc/puppet/puppetmaster/public
>
> <Directory /etc/puppet/puppetmaster>
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
> ErrorLog /var/log/httpd/puppetmaster_error.log
> CustomLog /var/log/httpd/puppetmaster_access.log combined
> </VirtualHost>
>
> On the clients, the puppet.conf has the following content:
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> pluginsync = true
>
> I don't know how solve this problem. I've read the puppet guides about
> ssl / apache / passenger. I don't understand how some clients can use
> the server, and not only one of these...
>
> Thanks in advance for your support.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> [7]https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links
> 1. http://yum.puppetlabs.com/
> 2. http://machine-1.test.betrancourt.net/
> 3. http://machine-1.test.betrancourt.net/
> 4. http://machine-1.test.betrancourt.net/
> 5. http://machine-1.test.betrancourt.net/
> 6. http://192.168.1.60:8140/
> 7. https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
