0

Puppet Master version 3.7.1 Puppet Agent version 0.25.4

Hi there Guys, I'm still in the beginning stages of using puppet running at lease 10 agents. I have written 20 odd modules and all worked fine.

Yesterday I tried adding custom facts and got this error:

Failed to retrieve current state of resource: Could not retrieve information from source

I thought it may be certificate related so I revoked the agent's cert with a normal

puppet cert clean agentname

I also removed the /var/lib/puppet/ssl directory.

When I now do

puppetd --test **or** puppet agent --test

I now always get this

err: Could not retrievw catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I know this is some certificate mixup BUT, I have already tried to

1. Removed the master /var/lib/puppet/ssl
2. Restarted the master
3. Removed the agent /var/lib/puppet/ssl
4. Ran puppet agent --test
Malan
  • 31
  • 1
  • 6
  • What is the output of: `puppet cert --list --all`? – Diamond Dec 23 '15 at 08:25
  • And maybe you should first go through this: [Troubleshooting Connections Between Components](https://docs.puppetlabs.com/pe/latest/trouble_comms.html) – Diamond Dec 23 '15 at 08:28
  • 1
    why `Puppet Agent version 0.25.4` instead of `3.7.1`? – 030 Dec 26 '15 at 13:37
  • for the client "puppet cert clean agentname" from your master and in your client /var/lib/puppet/ssl and use updated puppet client – c4f4t0r Dec 26 '15 at 19:04
  • `puppet:/etc/puppet # puppet cert --list --all` `+ "agent.fqdn.co.za" (SHA256)` `+ "puppet.fqdn.co.za" (SHA256)` – Malan Dec 28 '15 at 06:13
  • Connection to the puppet master is fine as it signs the certificates. `agent.fqdn.co.za # telnet puppet 8140` `Trying 10.10.1.215...` `Connected to puppet.` `Escape character is '^]'.` – Malan Dec 28 '15 at 06:17

2 Answers2

0

As the ssl directory has been removed from the master, the puppetmaster needs to be restarted.

Once restarted a new ssl directory has been created. When an agent run has been completed a certificate sign request should be visible on the master.

030
  • 5,901
  • 13
  • 68
  • 110
  • The Master does receive the request and signs the certificate. I can even see it under --list --all but I still get the same error from the agent's side. – Malan Dec 28 '15 at 06:09
0
  1. I removed the autosign.conf from the /etc/puppet directory
  2. I removed the autosign=true from the /etc/puppet/puppet.conf
  3. puppet cert clean <NODE NAME> (On the Master)
  4. rm -r $(puppet agent --configprint ssldir) (On the Agent)
  5. puppet agent --test (On the Agent)
  6. puppet cert sign <NODE NAME> (On the Master)

And it worked... For some Bizarre reason

Malan
  • 31
  • 1
  • 6