On Mon, Apr 7, 2014 at 4:57 PM, Charlie Baum <[email protected]> wrote:
> I have 8 or 9 Windows 2012 servers with latest puppet client 3.4.3. Out > of those, 4 of them have experienced issues with the SSL cert. Here is > what my event log contains: (each line is a different entry in the event > log, all within about 1.5 seconds) > > > *Unable to fetch my node definition, but the agent run will continue:* > > > *SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: > sslv3 alert certificate revoked* > > > */File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate > additional resources using 'eval_generate': SSL_connect returned=1 errno=0 > state=SSLv3 read server session ticket A: sslv3 alert certificate revoked* > > > */File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: > SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: > sslv3 alert certificate revoked Could not retrieve file metadata for > puppet://autopuppet.sys.comcast.net/plugins > <http://autopuppet.sys.comcast.net/plugins>: SSL_connect returned=1 errno=0 > state=SSLv3 read server session ticket A: sslv3 alert certificate revoked* > > *Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate > revoked* > Is the cert actually revoked on the master? If one exists, then it could be you created it from a non-privileged user and then later tried to connect with a privileged user. If you have a certificate already created and accepted from a non-privileged user, when the privileged user attempts to connect, it is going to attempt to send a new certificate request (due to ~/.puppet/etc/ssl versus c:/ProgramData/PuppetLabs/puppet/etc/ssl). The non-privileged user doesn't have access to programdata, so the request happens from another location it does have access to. Let's start there. > > > This is very frustrating for a product I would like to put into > production. I have searched and found resolutions to this issue, but can't > find a discussion on the root cause. Is it a crappy Windows agent? > Bug/issue on the puppet master side? How can I avoid this from happening > all over my prod environment if I go that route? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/031c8459-ffdf-4cf0-b7f6-144d3aa43424%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/031c8459-ffdf-4cf0-b7f6-144d3aa43424%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Rob Reynolds Developer, Puppet Labs *Join us at **PuppetConf 2014**, September 23-24 in San Francisco - http://puppetconf.com <http://puppetconf.com/>* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMJiBK6%2B6%2Bb%2BTn9nEiOu9cL070S08fUcCbvzpD2VSZ%3DWGhofvQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
