This, if I remember correctly, looks like a certificate chain issue. Your Puppet Architecture is a "Master of Masters" architecture.
Cert for Server B is signed by Cert for Server A? Correct? Is the cert for Server C (the agent) signed by the CA certificate chain? Try executing: *puppet cert list* and confirm that all certificates for all three servers are listed. -------------------------- Warron French On Thu, May 6, 2021 at 5:52 PM Aaron Nicoli <[email protected]> wrote: > Hi all, > > I have the following puppet layout: > ``` > Server A - Puppetserver (CA) > Server B - Puppetserver > Server C - Agent > ``` > > With the agent (server C) having it's cert signed by the CA (server A) > however pointed to (server B) as it's master. > > The issue I'm having is that when running `puppet agent -t` on the agent, > I can create a request to the CA and have the CA sign it, but then when I > go to run again: > > ``` > Error: Connection to > https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed, trying > next route: Request to > https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed after > 0.094 seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert > certificate unknown > ``` > > Now on the agent, I can see that the Server-B cert is signed by the CA > Server-A and it's available on the agent (server C) under: > `/etc/puppetlabs/puppet/ssl/certs/ca.pem` > > But yet - I still get the error... where is the puppet agent trying to > find the `ca.pem` cert to verify the masters certificate?!? > > Any ideas? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJdJdQnV42nr_8Bg_ZypYPg6sguO0FicGH2tWqv0zsWzffVpQA%40mail.gmail.com.
