Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4275

SSL cert fails to verify using puppet-agent-0.9.0-1 and puppetserver-2.0.0-0.1rc3

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:

      Single redhat-7-x86_64 box, puppet installed from packages
      Agent: puppet-agent-0.9.0-1
      Server: puppetserver-2.0.0-0.1rc3

    • Template:

      Description

      Initial agent run fails to verify CA certificate

      # /opt/puppetlabs/bin/puppet agent -t
      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Info: Retrieving pluginfacts
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Wrapped exception:
      SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Info: Retrieving plugin
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Wrapped exception:
      SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      Warning: Not using cache on failed catalog
      Error: Could not retrieve catalog; skipping run
      Error: Could not send report: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: pemaster1-prod.ops.puppetlabs.net]
      

      The CA as pemaster1-prod.ops.puppetlabs.net seems suspicious

      Steps to reproduce

      Provision RedHat-7-x86_64 device

      Install puppetserver requirements

      The puppetserver package requires java-1.7.0-openjdk and net-tools packages. Install them via yum.

      yum -y install java-1.7.0-openjdk net-tools
      

      Obtain puppetserver and puppet-agent from nightlies

      curl -O http://nightlies.puppetlabs.com/puppetserver-latest/repos/el/7/devel/x86_64/puppetserver-2.0.0-0.1rc3.el7.noarch.rpm
      curl -O http://nightlies.puppetlabs.com/puppet-agent-latest/repos/el/7/products/x86_64/puppet-agent-0.9.0-1.el7.x86_64.rpm
      

      Install puppet-agent

      rpm -ivh puppet-agent-0.9.0-1.el7.x86_64.rpm 
      

      Install puppetserver

      rpm -ivh puppetserver-2.0.0-0.1rc3.el7.noarch.rpm 
      

      Start puppetserver

      service puppetserver start
      

      Verify that server is running

      # service puppetserver status
      Redirecting to /bin/systemctl status  puppetserver.service
      puppetserver.service - puppetserver Service
         Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled)
         Active: active (running) since Fri 2015-03-20 11:45:42 PDT; 28min ago
        Process: 20559 ExecStartPost=/bin/bash ${INSTALL_DIR}/ezbake-functions.sh wait_for_app (code=exited, status=0/SUCCESS)
        Process: 20556 ExecStartPre=/usr/bin/install --directory --owner=puppet --group=puppet --mode=775 /var/run/puppetlabs/puppetserver (code=exited, status=0/
      SUCCESS)
       Main PID: 20558 (java)
         CGroup: /system.slice/puppetserver.service
                 └─20558 java -Xms2g -Xmx2g -XX:MaxPermSize=256m -XX:OnOutOfMemoryError=kill -9 %p -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/pu...
       
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,463 |-INFO in LogbackRequestLog - Will use configuration file [/etc/puppetlabs/puppetserve...ging.xml]
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,467 |-INFO in ch.qos.logback.access.joran.action.ConfigurationAction - debug attribute not set
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,468 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appen...Appender]
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,468 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - Naming appender as [FILE]
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,468 |-INFO in ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default ... property
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,475 |-INFO in ch.qos.logback.core.FileAppender[FILE] - File property is set to [/var/log/p...cess.log]
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,475 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction - Attaching appender name...] to null
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,475 |-INFO in ch.qos.logback.access.joran.action.ConfigurationAction - End of configuration.
      Mar 20 11:45:41 d2v3bhgh4hobshx java[20558]: 11:45:41,475 |-INFO in ch.qos.logback.access.joran.JoranConfigurator@4564dded - Registering current...ack point
      Mar 20 11:45:42 d2v3bhgh4hobshx systemd[1]: Started puppetserver Service.
      Hint: Some lines were ellipsized, use -l to show in full.
      

      Run puppet agent

      /opt/puppetlabs/bin/puppet agent -t
      

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                john.duarte John Duarte
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: