G'day Warron, So, doing some ca/ssl info gathering (note puppet cert not being a thing anymore on 7x that I'm running):
On server-A (CA & master 1): puppetserver ca list --all server-A (alt names: DNS:puppet, DNS:server-A) server-B (alt names: DNS:server-B) server-C (alt names: DNS:server-C) puppet ssl show ``` ... Issuer: CN=Puppet CA: server-A ... Subject: CN=server-A ... ``` On server-B (master 2): puppetserver ca list --all ``` Error: Failed connecting to https://server-A:8140/puppet-ca/v1/certificate_statuses/any_key Root cause: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get certificate CRL) ``` puppet ssl show ``` Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing ``` I also note that today, puppet agent -t, is now also failing with: ``` Error: The CRL issued by 'CN=Puppet CA: server-A' is missing Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing ``` On server-C (agent): puppet ssl show: ``` ... Issuer: CN=Puppet CA:server-A ... Subject: CN=server-B ... ``` Hope this helps my case! On Friday, 7 May 2021 at 8:42:46 am UTC+10 [email protected] wrote: > This, if I remember correctly, looks like a certificate chain issue. Your > Puppet Architecture is a "Master of Masters" architecture. > > Cert for Server B is signed by Cert for Server A? Correct? > Is the cert for Server C (the agent) signed by the CA certificate chain? > > Try executing: *puppet cert list* and confirm that all certificates for > all three servers are listed. > > -------------------------- > Warron French > > > > On Thu, May 6, 2021 at 5:52 PM Aaron Nicoli <[email protected]> wrote: > >> Hi all, >> >> I have the following puppet layout: >> ``` >> Server A - Puppetserver (CA) >> Server B - Puppetserver >> Server C - Agent >> ``` >> >> With the agent (server C) having it's cert signed by the CA (server A) >> however pointed to (server B) as it's master. >> >> The issue I'm having is that when running `puppet agent -t` on the agent, >> I can create a request to the CA and have the CA sign it, but then when I >> go to run again: >> >> ``` >> Error: Connection to >> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed, trying >> next route: Request to >> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed after >> 0.094 seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert >> certificate unknown >> ``` >> >> Now on the agent, I can see that the Server-B cert is signed by the CA >> Server-A and it's available on the agent (server C) under: >> `/etc/puppetlabs/puppet/ssl/certs/ca.pem` >> >> But yet - I still get the error... where is the puppet agent trying to >> find the `ca.pem` cert to verify the masters certificate?!? >> >> Any ideas? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/803a0f0a-01c9-4001-9bb6-c8d8a26c783an%40googlegroups.com.
