Re: [Puppet Users] Certificate verify fails without indications

I will try to work with the certificate_signer.rb file and see if I can get it to work. Thanks for the help! Jason On Friday, February 15, 2013 8:21:28 AM UTC-5, Luigi Martin Petrella wrote: > > Jason, for the reasons we wrote before in prevoius messages (especially > what Matt Black said), P

Re: [Puppet Users] Certificate verify fails without indications

Jason, for the reasons we wrote before in prevoius messages (especially what Matt Black said), Puppet 3.1.0 will never work with an agent that run openssl library version 0.9.7 (which is the version running on RH4) Even if you had master with Puppet 2.7.x working correctly with RH4 nodes, it is pe

Re: [Puppet Users] Certificate verify fails without indications

Luigi, Thanks for the suggestion, however I've already done that in some sense. Here's my FULL situation: I was running a puppet 2.6.6 master on a RHEL5 machine with lots of RHEL4,5,6 machines (mostly RHEL5) connecting to it. The clients are all running puppet 0.25.5 and working just fine.

Re: [Puppet Users] Certificate verify fails without indications

Jason, you could try to set one Redhat 4 node as master and verify if it works correctly with another RH4 agent, so you can establish if the problem is about RH4 agents or RH6 master.. On 14 February 2013 19:45, binaryred wrote: > On my puppet master, I uninstalled my puppet RPM, downloaded t

Re: [Puppet Users] Certificate verify fails without indications

On my puppet master, I uninstalled my puppet RPM, downloaded the tarball for puppet 3.1.0, modified the source for the certificate_signer.rb, and ran 'ruby install.db'. It installed the modified certificate_signer.rb file and runs just fine on the master (as it did before), but my client RHEL4

Re: [Puppet Users] Certificate verify fails without indications

Yeah, I just replaced my server name with that. I've got RHEL5 and RHEL6 machines talking to my puppet master just fine. On Thursday, February 14, 2013 12:18:19 PM UTC-5, Felix.Frank wrote: > > On 02/14/2013 05:20 PM, binaryred wrote: > > Any other suggestions? > > Yeah, actually... > > > err

Re: [Puppet Users] Certificate verify fails without indications

On 02/14/2013 05:20 PM, binaryred wrote: > Any other suggestions? Yeah, actually... > err: Could not send report: certificate verify failed: [certificate > signature failure for /CN=puppetmaster.example.com > ] Is the name of your master puppetmaster.example.com?

Re: [Puppet Users] Certificate verify fails without indications

Unfortunately, I am installing my puppet agent and master with RPMs. When I uninstall and reinstall the puppet agent, it blows away the certificate_signer.rb file and recreates it with the original file. I have a number of systems (not all of which I have control over) that I'll need to do th

Re: [Puppet Users] Certificate verify fails without indications

Your configuration is almost the same as mine. I'm not 100% sure but I think that after modifying certificate_signer.rb you should re-install puppet, running "ruby install.rb" again. (in my case, I first downloaded source code, then modified the class and finally ran the install.rb) On 14 Februa

Re: [Puppet Users] Certificate verify fails without indications

Puppet master is running RHEL 6.3 with the following packages: puppet-3.1.0-1.el6.noarch puppet-server-3.1.0-1.el6.noarch openssl-1.0.0-20.el6_2.5.x86_64 Client is running RHEL 4.8 with the following packages: puppet-2.7.20-1 openssl-0.9.7a-43.17.el4_7.2 After changing the certificate_signer.rb

Re: [Puppet Users] Certificate verify fails without indications

Jason, I did the change on master, Centos 6.3 with Puppet 3.1.0. This modification can't be applied on Puppet 2.7.x since the class certificate_signer.rb doesn't exist in Puppet 2.7 source code. What's your configuration on master and agent nodes? What's the output of "rpm -qa | grep openssl" ?

Re: [Puppet Users] Certificate verify fails without indications

Luigi, I find I'm in a similar situation as you, except I am not running puppet 3 on my client, I am running puppet 2.7. This change that you made, was it on the client or your puppet master? Thanks, Jason On Thursday, February 14, 2013 5:31:13 AM UTC-5, Luigi Martin Petrella wrote: > > The

Re: [Puppet Users] Certificate verify fails without indications

The trick worked :-) Thanks to everyone for your contribution! On 13 February 2013 18:26, Luigi Martin Petrella < luigimartin.petre...@gmail.com> wrote: > Yes, it is exactly the cause of the problem! > " > > certificate_signer.rb > > # Take care of signing a certificate in a FIPS 140-2 complian

Re: [Puppet Users] Certificate verify fails without indications

Yes, it is exactly the cause of the problem! " certificate_signer.rb # Take care of signing a certificate in a FIPS 140-2 compliant manner. # # @see http://projects.puppetlabs.com/issues/17295 # # @api private class Puppet::SSL::CertificateSigner def initialize if OpenSSL::Digest.con

Re: [Puppet Users] Certificate verify fails without indications

Yes because as part of the fix it checks on the CA, when its signing the cert, whether it can support 256 or not. If it does not it drops down to a lower SHA. If you look at the pull request that is part of the ticket, specifically the changes. If you scroll down to the certificate_signer.rb chang

Re: [Puppet Users] Certificate verify fails without indications

Matthew, you are right, this explain ALMOST everything "Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in this case, which runs version 0.9.7 with patches and doesn’t support sha256. I don’t mind the idea of compiling 1.0.x but the issue still seems to stand that you can’

Re: [Puppet Users] Certificate verify fails without indications

I think this issue is related to your issue since the version discussed is 0.9.7. http://projects.puppetlabs.com/issues/17295 What you will need to do is more than likely is update the openssl on the agent. I dont think it will work too well but you can try to take the srpm from rhel 5 or 6 and b

Re: [Puppet Users] Certificate verify fails without indications

Yes, RED HAT 4 is very old, but we can't update it. I agree with the idea that the problem could be ssl library. As I wrote before, on RH4 we have openssl-0.9.7, on the others systems it'1.0.0 Maybe puppet 3.0.1 master force the use of SHA256 for certificate digest, but SHA256 is not supported by

Re: [Puppet Users] Certificate verify fails without indications

On 02/13/2013 03:32 PM, Luigi Martin Petrella wrote: > MASTER Centos 6.3, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = ERROR > MASTER Ubuntu 12.10, puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = > ERROR MASTER RedHat 4, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = > OK I agree with Matthe

Re: [Puppet Users] Certificate verify fails without indications

I have to do an update. We just configured one RED HAT 4 node as puppet master, and connected another RH4 agent node without any ssl or certificate issue. So, brief recap: MASTER Centos 6.3, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = ERROR MASTER Ubuntu 12.10, puppet 3.0.1 --> Agent RedHat 4,

Re: [Puppet Users] Certificate verify fails without indications

On Wednesday, February 13, 2013 6:15:09 AM UTC-6, Felix.Frank wrote: > > Hmm, so did you *ever* use --waitforcert on your agent side? > > If you haven't, that's your problem right there. > > I never use --waitforcert. Instead, I just run the agent twice when I first set up Puppet, signing the

Re: [Puppet Users] Certificate verify fails without indications

Master: Centos 6.3 , Puppet 3.1.0 Ubuntu, Puppet 3.1.0 Agent: Redhat 4, Puppet 3.1.0 Yesterday something strange happened: we tryied to connect RedHat agent with a Puppet Enterprise Master on Centos 6.3, and there wasn't any certificate problems and everything worked. Today we are trying with the

Re: [Puppet Users] Certificate verify fails without indications

What is the versions of the puppet are being used on the client and the server? Assuming master is running on Linux, what distro and release is the master running on? I suspect the openssl might be the issue on the client. On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella wrote: > Felix,

Re: [Puppet Users] Certificate verify fails without indications

Felix, why do you think the problem is related to the "--waitforcert" option? I tryied to run "puppet agent -t --waitforcert 100" , and after signing the request on master, on agent I receive this message: Error: Could not request certificate: Unsupported digest algorithm (SHA256). Error: Failed t

Re: [Puppet Users] Certificate verify fails without indications

On 02/11/2013 10:51 PM, Jo Rhett wrote: > All cert problems are either time sync or certificate name issues. So > it's one of those two. A bold assertion. It may hold true as far as puppet is concerned, though. I generally advise to take the time and lern about x509 and openssl's interface, so on

Re: [Puppet Users] Certificate verify fails without indications

Jo, I hope that you are right, because probably time or naming problems are solvable, unlike problems with ssl lib... Let's assume it is a timing problem: I syncronized date and hwclock on agent manually, obtaining an offset of 2 seconds with master. Is it too much? Shall I set up an NTP service

Re: [Puppet Users] Certificate verify fails without indications

Sounds like your puppet master isn't signing the cert with the name that the agent is connecting with? All cert problems are either time sync or certificate name issues. So it's one of those two. On Feb 11, 2013, at 9:35 AM, Luigi Martin Petrella wrote: > I have a puppet master on Centos 6.3 co

[Puppet Users] Certificate verify fails without indications

I have a puppet master on Centos 6.3 connected and working properly with other Centos 6.3 agent. I installed puppet agent via gems on a RED HAT 4 node. This is what happens when I try to sign certificate for the new node: AGENT [root@FP2 ~]$ puppet agent -t Info: Creating a new SSL key for