Hello everyone,
Centos 7.1, puppet 3.6.2.
The agent can't request a certificate signing because the SSL connection to
the master doesn't work "Warning: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [self
signed certificate in certificate chain"
Initially, I could verify that underlying openssl will return a connection
error using both "openssl s_client -connect host:8140 "and a simple ruby
program where I "http.start { http.request(req) } " and then check for SSL
errors.
But then using the -showcerts option in the openssl command above I could
see and copy the master's cert into
/etc/pki/ca-trust/source/anchors/host.pem after which I run
update-ca-trust. Predictably enough both the openssl s_client and my ruby
test would then connect OK to the master on port 8140; yet agent -t keeps
returning an error.
I've searched for all .pems on the instance:
/var/lib/puppet/ssl/certificate_requests/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/public_keys/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/private_keys/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/certs/2deeabc8-24a4-11dc-a7d0-000ea68f7399.lab.pem
/var/lib/puppet/ssl/certs/ca.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/source/anchors/host.pem
/etc/pki/tls/cert.pem
/usr/share/rubygems/rubygems/ssl_certs/Class3PublicPrimaryCertificationAuthority.pem
/usr/share/rubygems/rubygems/ssl_certs/EntrustnetSecureServerCertificationAuthority.pem
/usr/share/rubygems/rubygems/ssl_certs/GeoTrustGlobalCA.pem
/usr/share/rubygems/rubygems/ssl_certs/ca-bundle.pem
/usr/share/rubygems/rubygems/ssl_certs/host.pem
/usr/share/rubygems/rubygems/ssl_certs/DigiCertHighAssuranceEVRootCA.pem
The "/usr/share/rubygems/rubygems/ssl_certs/ca-bundle.pem" is just a link
to "/etc/pki/tls/cert.pem" which in turn is controlled by update-ca-trus
but, just as an extra check, if I grep for the master's cert in
"/etc/pki/tls/cert.pem" I get a match. As you can see above, I've also
added host.pem (an exact copy of the master's cert) into
"/usr/share/rubygems/rubygems/ssl_certs/" but to no avail... it was a
desperate measure, I agree, if only because the said pem was anyway
included in "/etc/pki/tls/cert.pem" but I'm really running out of ideas. A
strace -e trace=file shows that the only .pem files read by "puppet agent
-t" are the ones from "/var/lib/puppet/ssl/" and the one from
"/etc/pki/tls/cert.pem". Since both openssl s_client and my test ruby work,
the whole thing should have worked... yet it doesn't; Any hints? :-|
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/30a5c338-d6a4-4f6d-a40c-0e0fc0149548%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
