Andy, did you get this fixed? --eric0
On Friday, November 16, 2018 at 9:02:02 AM UTC-8, Andy Hall wrote: > > Hmm perhaps I should RTFM : > https://puppet.com/docs/puppetdb/6.0/maintain_and_tune.html#redo-ssl-setup-after-changing-certificates > > On Friday, 16 November 2018 16:49:20 UTC, Andy Hall wrote: >> >> Apologies for the late reply but do you know how to re-create the certs >> for PuppetDB ? Is there a specific PuppetDB group who may be able to answer >> this ? Thanks very much. >> >> On Wednesday, 3 October 2018 19:04:26 UTC+1, Maggie Dreyer wrote: >>> >>> If you regenerated your CA as part of fixing the issues with the >>> master/agent connection, did you also regenerate the certificates for >>> PuppetDB? Not having really any experience with PuppetDB, I could see thi >>> error being cause by still using certificates issued by the old certificate >>> authority. >>> >>> On Wed, Oct 3, 2018 at 10:58 AM Andy Hall <andyjo...@gmail.com> wrote: >>> >>>> Just fixed an issue with the puppetserver ca after a 5.x to 6.x upgrade >>>> (see post "PUPPET 6.0 : CSR from master does not match the agent public >>>> key" for more details) but now experience the following issue with >>>> PuppetDB >>>> (maybe a problem with the Java KeyStore ?): >>>> >>>> AGENT: >>>> >>>> # puppet agent --test >>>> >>>> Warning: Unable to fetch my node definition, but the agent run will >>>> continue: >>>> Warning: Error 500 on SERVER: Server Error: Could not retrieve facts >>>> for andy-puppet6-test.london.company.com: Failed to find facts from >>>> PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/ >>>> andy-puppet6-test.london.company.com/facts' on at least 1 of the >>>> following 'server_urls': https://ldn1-puppet5.london.company.com:8081 >>>> >>>> Info: Retrieving pluginfacts >>>> Info: Retrieving plugin >>>> Info: Retrieving locales >>>> Info: Loading facts >>>> >>>> Error: Could not retrieve catalog from remote server: Error 500 on >>>> SERVER: Server Error: Failed to execute >>>> '/pdb/cmd/v1?checksum=53837e24e8b91d10fc3a81a657b83258c0ab3f8f&version=5&certname= >>>> andy-puppet6-test.london.company.com&command=replace_facts&producer-timestamp=1538588583' >>>> >>>> on at least 1 of the following 'server_urls': >>>> https://ldn1-puppet5.london.company.com:8081 >>>> >>>> Warning: Not using cache on failed catalog >>>> Error: Could not retrieve catalog; skipping run >>>> >>>> MASTER: >>>> >>>> ==> /var/log/puppetlabs/puppetserver/puppetserver.log <== >>>> 2018-10-03T18:49:26.860+01:00 ERROR [qtp1255475413-70] >>>> [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >>>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) >>>> at >>>> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) >>>> at >>>> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) >>>> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) >>>> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >>>> at >>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) >>>> at >>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) >>>> at >>>> org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) >>>> at >>>> org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) >>>> at >>>> org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) >>>> at >>>> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) >>>> at >>>> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) >>>> at >>>> org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) >>>> at >>>> org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) >>>> at >>>> org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) >>>> at java.lang.Thread.run(Thread.java:748) >>>> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine >>>> problem >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) >>>> at >>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) >>>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) >>>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) >>>> at >>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) >>>> at >>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) >>>> ... 9 common frames omitted >>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>> validation failed: java.security.cert.CertPathValidatorException: Path >>>> does >>>> not chain with any of the trust anchors >>>> at >>>> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) >>>> at >>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) >>>> at sun.security.validator.Validator.validate(Validator.java:262) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) >>>> ... 17 common frames omitted >>>> Caused by: java.security.cert.CertPathValidatorException: Path does not >>>> chain with any of the trust anchors >>>> at >>>> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:154) >>>> at >>>> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) >>>> at >>>> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) >>>> at >>>> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) >>>> ... 23 common frames omitted >>>> 2018-10-03T18:49:26.873+01:00 WARN [qtp1255475413-70] [puppetserver] >>>> Puppet Error connecting to ldn1-puppet5.london.company.com on 8081 at >>>> route /pdb/query/v4/nodes/andy-puppet6-test.london.company.com/facts, >>>> error message received was 'Error executing http request'. Failing over to >>>> the next PuppetDB server_url in the 'server_urls' list >>>> 2018-10-03T18:49:26.881+01:00 ERROR [qtp1255475413-70] [puppetserver] >>>> Puppet Server Error: Could not retrieve facts for >>>> andy-puppet6-test.london.company.com: Failed to find facts from >>>> PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/ >>>> andy-puppet6-test.london.company.com/facts' on at least 1 of the >>>> following 'server_urls': https://ldn1-puppet5.london.company.com:8081 >>>> >>>> Seems to be an SSL issue with PuppetDB ? Maybe the Java KeyStore ? >>>> Please note this is not a simple TCP problem - the connection from agent >>>> to >>>> master on port 8081 is fine. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Puppet Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to puppet-users...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/puppet-users/10f93c46-6fbb-484f-9a60-a3ebbf0116b7%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/puppet-users/10f93c46-6fbb-484f-9a60-a3ebbf0116b7%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/77819aee-1d80-4ff7-b781-fe68e42422b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
