Right, so here is lots of interesting things now ! The puppetmaster is resolved via /etc/hosts and is set with "server=" in the [main] section.
Trying to connect with the openssl command from a working server is just fine of course. From one of the broken servers the following error shows up: CONNECTED(00000003) 3073738376:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 174 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- I can check the certificate on the client with openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/FQDN.pem. There are some clear differences between the working and broken systems. For example: BROKEN Public-Key: (1024 bit) Modulus: ... X509v3 Key Usage: critical Digital Signature, Key Encipherment ... X509v3 Subject Key Identifier: CC:67:4F:45:C8:26:34:3A:22:66:E4:16:7C:81:7E:42:B8:CA:55:24 X509v3 Basic Constraints: critical CA:FALSE WORKING RSA Public Key: (1024 bit) Modulus (1024 bit): ... X509v3 Basic Constraints: critical CA:FALSE ... X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: CC:67:4F:45:C8:26:34:3A:22:66:E4:16:7C:81:7E:42:B8:CA:55:24 Unfortunately I do not understand these differences. Also, I am not sure if those differences is a red herring, as those lines are different again compared to another working system. On the master certificate, under alternative name, both "puppet.tld" and "mymaster.tld" is listed. All my clients points to "mymaster.tld" as the server. Martinus. On Friday, 6 July 2012 15:16:59 UTC+1, Martin Alfke wrote: > > > From > http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security > > Check certificate and validity: > > openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/hostname.tld.pem > > > How do you specifiy the puppetmaster on the clients? > Do you have a server= line in puppet.conf? > > How do the three clients resolv the puppetmaster? > > Check certificate on master (take care on AltDNS Names > > openssl x509 -text -noout -in /etc/puppet/ssl/certs/master.example.com.pem > > Check ca on master: > > openssl x509 -text -noout -in /etc/puppet/ssl/certs/ca.pem > > Simulate a SSL connection: > > openssl s_client -host puppet -port 8140 -cert > /path/to/ssl/certs/node.domain.com.pem -key > /path/to/ssl/private_keys/node.domain.com.pem -CAfile > /path/to/ssl/certs/ca.pem > > (from http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/) > > On 06.07.2012, at 12:20, Martinus wrote: > > Martin, > > Everything is worth a try ! > > But it did not work :( > I commented out that line (SSLCARevocationFile) and restarted apache. No > change on the working servers, good. No change on the broken servers, bad. > > Martinus. > > On Friday, 6 July 2012 11:02:10 UTC+1, Matthew Burgess wrote: >> >> > As an additional note, when I stop apache and start puppetmaster with >> its >> > inbuilt web server, then these 3 clients are happy. >> >> Ah, that triggered a memory! >> >> http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger has an >> example Apache config stanza for the puppetmaster virtualhost. In it >> are the following couple of lines: >> >> # CRL checking should be enabled; if you have problems with Apache >> complaining about the CRL, disable the next line >> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem >> >> I know it won't help understanding *why* your 3 nodes are misbehaving, >> but it may help workaround it. >> >> Regards, >> >> Matt. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/SJL2yF2M0xoJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8QOLKwKcGbcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
