Hmm perhaps I should RTFM : https://puppet.com/docs/puppetdb/6.0/maintain_and_tune.html#redo-ssl-setup-after-changing-certificates
On Friday, 16 November 2018 16:49:20 UTC, Andy Hall wrote: > > Apologies for the late reply but do you know how to re-create the certs > for PuppetDB ? Is there a specific PuppetDB group who may be able to answer > this ? Thanks very much. > > On Wednesday, 3 October 2018 19:04:26 UTC+1, Maggie Dreyer wrote: >> >> If you regenerated your CA as part of fixing the issues with the >> master/agent connection, did you also regenerate the certificates for >> PuppetDB? Not having really any experience with PuppetDB, I could see thi >> error being cause by still using certificates issued by the old certificate >> authority. >> >> On Wed, Oct 3, 2018 at 10:58 AM Andy Hall <[email protected]> wrote: >> >>> Just fixed an issue with the puppetserver ca after a 5.x to 6.x upgrade >>> (see post "PUPPET 6.0 : CSR from master does not match the agent public >>> key" for more details) but now experience the following issue with PuppetDB >>> (maybe a problem with the Java KeyStore ?): >>> >>> AGENT: >>> >>> # puppet agent --test >>> >>> Warning: Unable to fetch my node definition, but the agent run will >>> continue: >>> Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for >>> andy-puppet6-test.london.company.com: Failed to find facts from >>> PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/ >>> andy-puppet6-test.london.company.com/facts' on at least 1 of the >>> following 'server_urls': https://ldn1-puppet5.london.company.com:8081 >>> >>> Info: Retrieving pluginfacts >>> Info: Retrieving plugin >>> Info: Retrieving locales >>> Info: Loading facts >>> >>> Error: Could not retrieve catalog from remote server: Error 500 on >>> SERVER: Server Error: Failed to execute >>> '/pdb/cmd/v1?checksum=53837e24e8b91d10fc3a81a657b83258c0ab3f8f&version=5&certname= >>> andy-puppet6-test.london.company.com&command=replace_facts&producer-timestamp=1538588583' >>> >>> on at least 1 of the following 'server_urls': >>> https://ldn1-puppet5.london.company.com:8081 >>> >>> Warning: Not using cache on failed catalog >>> Error: Could not retrieve catalog; skipping run >>> >>> MASTER: >>> >>> ==> /var/log/puppetlabs/puppetserver/puppetserver.log <== >>> 2018-10-03T18:49:26.860+01:00 ERROR [qtp1255475413-70] >>> [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request >>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) >>> at >>> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) >>> at >>> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) >>> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) >>> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >>> at >>> org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) >>> at >>> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) >>> at >>> org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) >>> at >>> org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) >>> at >>> org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) >>> at >>> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) >>> at >>> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) >>> at >>> org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) >>> at >>> org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) >>> at >>> org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) >>> at >>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) >>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) >>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at >>> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) >>> at >>> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) >>> at >>> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) >>> ... 9 common frames omitted >>> Caused by: sun.security.validator.ValidatorException: PKIX path >>> validation failed: java.security.cert.CertPathValidatorException: Path does >>> not chain with any of the trust anchors >>> at >>> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) >>> at >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) >>> at sun.security.validator.Validator.validate(Validator.java:262) >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) >>> ... 17 common frames omitted >>> Caused by: java.security.cert.CertPathValidatorException: Path does not >>> chain with any of the trust anchors >>> at >>> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:154) >>> at >>> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) >>> at >>> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) >>> at >>> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) >>> ... 23 common frames omitted >>> 2018-10-03T18:49:26.873+01:00 WARN [qtp1255475413-70] [puppetserver] >>> Puppet Error connecting to ldn1-puppet5.london.company.com on 8081 at >>> route /pdb/query/v4/nodes/andy-puppet6-test.london.company.com/facts, >>> error message received was 'Error executing http request'. Failing over to >>> the next PuppetDB server_url in the 'server_urls' list >>> 2018-10-03T18:49:26.881+01:00 ERROR [qtp1255475413-70] [puppetserver] >>> Puppet Server Error: Could not retrieve facts for >>> andy-puppet6-test.london.company.com: Failed to find facts from >>> PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/ >>> andy-puppet6-test.london.company.com/facts' on at least 1 of the >>> following 'server_urls': https://ldn1-puppet5.london.company.com:8081 >>> >>> Seems to be an SSL issue with PuppetDB ? Maybe the Java KeyStore ? >>> Please note this is not a simple TCP problem - the connection from agent to >>> master on port 8081 is fine. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/10f93c46-6fbb-484f-9a60-a3ebbf0116b7%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/puppet-users/10f93c46-6fbb-484f-9a60-a3ebbf0116b7%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c24e8d5f-a5d4-4bdc-9718-ed8d9b49b1a2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
