Hi Chris, > I regenerated the puppetdb certs according to the instructions here: > > Step 3, Option B > > https://docs.puppetlabs.com/puppetdb/0.9/install_from_source.html#step-3-option-b-manually-create-a-keystore-and-truststore > > And can verify the cert manually using openssl client > > #echo "QUIT" | openssl s_client -connect puppetdb:8081 -CAfile > /etc/ssl/certs/puppetdb.pem |grep Verify > Verify return code: 0 (ok) > > However I still get the following: > > err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Failed to submit 'replace facts' command for host23.example.com to PuppetDB > at puppetdb:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server > certificate B: certificate verify failed: [certificate signature failure for > /CN=puppetdb] > > Where do I place the certs so they are validated by the puppetdb terminus?
The puppetdb terminus should utilise the certificates from the Puppet master instance it is running from. So from a client/terminus perspective, you shouldn't have to do anything. It feels like its the certificates on the puppetdb server that is having trouble. What are the full results of this command, when ran from the puppetmaster itself? openssl s_client -connect puppetdb:8081 -CAfile /var/lib/puppet/ssl/ca/ca_crt.pem Note: I'm specifying the CA file to be the CA on the puppetmaster in this case which is what the puppetdb terminus should use, I wasn't quite sure /etc/ssl/certs/puppetdb.pem in your case was the correct CA PEM. Either way, I'm interested in the full output using the Puppetmasters CA specifically as this is what the puppetdb terminus/client will use. Also, what about the contents of the keystore on the puppetdb server that you configured with those instructions you specified? This is for example what mine looks like (with the key identifier section removed): # keytool -list -v -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: puppetdb1.vm Creation date: 10-Jan-2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=puppetdb1.vm Issuer: CN=Puppet CA: puppetdb1.vm Serial number: 2 Valid from: Wed Jan 09 18:49:41 GMT 2013 until: Tue Jan 09 18:49:41 GMT 2018 Certificate fingerprints: MD5: 5A:CB:F2:5E:84:27:E8:49:BF:0E:83:3A:3A:A8:EA:09 SHA1: 8F:CA:36:99:93:9F:DB:04:B6:5F:67:45:70:0C:D0:B1:B1:D7:35:D2 SHA256: D0:C4:C5:D4:FA:14:37:B1:74:F5:D9:EB:78:E0:26:71:06:2F:98:E4:EA:BC:22:6C:E6:40:A4:5A:5E:C5:77:8D Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false 0000: 16 28 50 75 70 70 65 74 20 52 75 62 79 2F 4F 70 .(Puppet Ruby/Op 0010: 65 6E 53 53 4C 20 49 6E 74 65 72 6E 61 6C 20 43 enSSL Internal C 0020: 65 72 74 69 66 69 63 61 74 65 ertificate #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=true ExtendedKeyUsages [ serverAuth clientAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: puppet DNSName: puppet.vm DNSName: puppetdb1.vm ] (I've removed the key identifier) I'm primarily curious to see that the file is in a valid format, and that the issuer is the CA of your puppetmaster. Like mine shows under the 'Issuer' part. Generally this is what the designation 'signature' is all about, referenced in your error message 'certificate signature failure for /CN=puppetdb'. Beyond that, we'll want to make sure the CA you have in your truststore matches the CA on the puppetmaster: puppetdb # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, 10-Jan-2013, trustedCertEntry, Certificate fingerprint (SHA1): 84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12 puppetmaster # openssl x509 -noout -in /var/lib/puppet/ssl/ca/ca_crt.pem -fingerprint SHA1 Fingerprint=84:55:94:05:A7:2C:D4:88:A5:47:F3:7C:54:11:50:3B:81:53:64:12 If these don't match, then your truststore contains the wrong CA file. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
