Puppet: fix SSL mismatch error

I have been doing a bit of log messages cleanup, in relation to a new Puppet setup i have done. After a bit of deprecation fixing, and a bit of other small bug-fixing, i came across a SSL error in the messages-log, due to SSL certificate mismatch:

$ tail -fn200 /var/log/messages 
Jul 14 14:29:14 oapuppet01 puppet-agent[18845]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet.solido.net]
Jul 14 14:29:15 oapuppet01 puppet-agent[18845]: (/File[/var/lib/puppet/lib]) Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet.solido.net]
Jul 14 14:29:15 oapuppet01 puppet-agent[18845]: (/File[/var/lib/puppet/lib]) Wrapped exception:
Jul 14 14:29:15 oapuppet01 puppet-agent[18845]: (/File[/var/lib/puppet/lib]) SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet.solido.net]
Jul 14 14:29:16 oapuppet01 puppet-agent[18845]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet.solido.net]

I can see there is a bit of SSL mismatch errors here. I found a fix with the puppetdb util, which is used as a datastore with features within Puppet. So i start with downloading this util:

$ apt-get install puppetdb

Then i use the ssl-setup -f (force) command from puppetdb, which forces the SSL match to sign and set certificates again:

$ puppetdb ssl-setup -f

PEM files in /etc/puppetdb/ssl already exists, checking integrity.
Overwriting existing PEM files due to -f flag
Copying files: /var/lib/puppet/ssl/certs/ca.pem, /var/lib/puppet/ssl/private_keys/oapuppet01.solido.net.pem and /var/lib/puppet/ssl/certs/oapuppet01.solido.net.pem to /etc/puppetdb/ssl
Setting ssl-host in /etc/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-port in /etc/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-key in /etc/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-cert in /etc/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-ca-cert in /etc/puppetdb/conf.d/jetty.ini already correct.

Check if it works - if it still does not, go ahead and delete the existing certificates on your agents/clients:

$ find /var/lib/puppet -type f -exec rm -rf {} \;

Afterwards, clean all certificates from your master:

$ puppet cert clean --all

Then pull from your agents to check if it works:

$ puppet agent -t

That should be it.

comments powered by Disqus