Ssh – Puppet Master in VIrtual Machine with Port Forwarding (SSL certificate error?)

I am trying to run a puppet master on a virtual machine, and connect from a client machine, via port forwarding on the virtual machine's host.

The details

I have a virtual machine running Ubunto with Puppet 3.1.1 (called mgt). The host for the virtual machine (called loki) runs rinetd which forward incoming connections on port 8140 to the virtual machine.

I have a client machine (called thor) with Puppet 3.0.2.

Testing with netcat and telnet confirms that the port forwarding works and that I can connect from my client machine (thor) to the puppet master virtual machine (mgt).

When I run the puppet master (on mgt) with the following command it appears to start correctly:

puppet master --no-daemonize --debug

When I then run the agent (on thor), with the following command:

puppet agent --server loki --test --no-daemonize

I get the following error:

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost]
Info: Retrieving plugin
Error: /File[/var/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost]
Error: /File[/var/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost] Could not retrieve file metadata for puppet://loki/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost]

But I get no additional output on the puppet master indicating that a connection was attempted or refused.

My understanding is that the puppet master should refuse to connect until the client's certificate is signed. Using the command puppet set list does not list any unsigned certificates.

Any suggestions on how to proceed?

Best Answer

My apologies, I misread your original error, it seems the master/agent have gotten confused, see this link for details.

Specifically:

The server certificate that puppet has and the one that the puppetmaster is using differ. On a pure puppet node one simple way is just to remove the current SSL information and start again:

find /var/lib/puppet -type f -print0 |xargs -0r rm

Also ensure that the client and server agree what the current time is (otherwise the certificate created may not be valid on the other machine).

Best Answer

Related Solutions

Puppet – Not Signing Cert or Getting New Requests

Ssh – generate ssh host keys for clients on puppetmaster

Related Topic