Introduction:
When you create new puppet clients or the certification of client was changed or changed your puppet-master, you will face the following problems:
Example error messages related to this problem:
Debug: Starting connection for https://concar-pm01:8140 Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL<em>connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Debug: Evicting cache entry for environment 'branch</em>01
Debug: Starting connection for https://concar-pm01:8140 Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval<em>generate': SSL</em>connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://concar-pm01/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Debug: Starting connection for https://concar-pm01:8140 Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval<em>generate': SSL</em>connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://concar-pm01/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run
Step-by-step guide to solve SSL certification problem (less secure, more effective for more client)
You must to be root on puppet master and affected hosts also!
Disable puppet agent on puppet master (until you solve cert problem. It is about 10min + affected host’s puppet agent catalog run time)
puppet agent --disable "temp. disabled due to REASON"
Modify puppet configuration on puppet master:
– vi /etc/puppet/puppet.conf
– change this key under [master] configuration from “autosign = false” to “autosign = true”
Clean / Delete affected host’s certificate on puppet master:
puppet cert clean "test-host01"
Login to the affected host (for example ssh testuser@test-host01) and delete SSL-related folders of puppet.
rm -rf /var/lib/puppet/ssl/*
Now you can run puppet agent again on affected host without certificate problem. If puppet-agent finished you must
to revert puppet configuration on puppet master (autosign = false) and you can enable puppet agent on it.
Needed certs was recreated with these steps.
Step-by-step guide to solve SSL certification problem (more secure, more effective for standalone / few client)
On puppet master:
In here you will find the signed & not signed clients.
On puppet client:
You can start puppet agent with option to waiting for certification:
puppet agent -t --waitforcert 180
The client will waiting to sign their cert on puppet master until 180 sec.
On puppet master:
In here you will find the signed & not signed clients.
puppet cert sign your_clients_name
You sign the cert of it.
Like this:
Like Loading...
Wow. That is so elegant and logical and clearly explained. Brilliantly goes through what could be a complex process and makes it obvious.