So, I'm thinking this is the issue I'm running into, but still not sure how to resolve it:
https://www.atcomputing.nl/blog/certificate-authority-and-puppet-6/ Need to run puppetserver ca import - before starting the puppetserver. However, it seems `--private-key` `--crl-chain` and `--cert-bundle` are mandatory. What should I use for what? ``` /etc/puppetlabs/puppet/ssl/certs/server-b.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem /etc/puppetlabs/puppet/ssl/crl.pem ``` I've tried: ``` puppetserver ca import --config /etc/puppetlabs/puppet/puppet.conf --private-key /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem --crl-chain /etc/puppetlabs/puppet/ssl/crl.pem --cert-bundle /etc/puppetlabs/puppet/ssl/certs/ca.pem ``` But, it gives me the error of: ``` Error: Could not find certificate matching private key ``` On Friday, 7 May 2021 at 10:09:50 am UTC+10 Aaron Nicoli wrote: > Cheers Warron, > > It was pretty obvious something on B is broken, but what who knows... > > I've just deleted everything related to B and C (A is prod, B and C are > new dev) [rm -rf /etc/puppetlabs/puppet/ssl; rm -rf > /etc/puppetlabs/puppetserver/ca; puppetserver ca clean x]. > > After doing this, will both puppet and puppetserver services stopped on B, > I've ran puppet agent -t... > Then signed the request on server-A > > Everything working on B (as an agent)... > > Then again everything stopped and deleted on C (agent)... > puppet agent -t, signed on A... > > Can't connect to the puppetmaster (server-B), because I haven't started > the service, but other than that everything perfect. > > Start the puppetserver service on server-B... and then run puppet agent -t > on server-C again... > ``` > Error: Connection to https://server-B:8140/puppet/v3 failed, trying next > route: Request to https://server-B:8140/puppet/v3 failed after 0.103 > seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert > certificate unknown > Wrapped exception: > SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate unknown > ``` > > Pretty much back to where we started... > > Then I go back to server-B and run puppet agent -t... broken: > ``` > Error: The CRL issued by 'CN=Puppet CA: server-A' is missing > Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is missing > ``` > > From what I can tell, the puppetserver service (upon startup on server-B) > is "blatting" the correct certs on server-B... > > That's the best conclusion I can come to at this point. > On Friday, 7 May 2021 at 9:50:24 am UTC+10 [email protected] wrote: > >> @Aaron, good evening from the east coast of the USA. >> >> It looks like the first break in the chain is on ServerB, if that was not >> also obvious to you. To be clear, I have not worked with puppet since >> version 4, and in my current professional role we don't use Puppet at all >> (makes me sad actually). >> >> Anyway, I think you need to find The certificate for ServerB and confirm >> the details about it's PEM file. >> Use *openssl x509 -noout -text **ServerB.pem* (the server's PEM >> file is a placeholder) >> >> Can you provide a list of fullpath/file.pem's back to me? *This is not >> a production system correct?* >> >> >> >> -------------------------- >> Warron French >> >> >> >> On Thu, May 6, 2021 at 7:29 PM Aaron Nicoli <[email protected]> wrote: >> >>> G'day Warron, >>> >>> So, doing some ca/ssl info gathering (note puppet cert not being a thing >>> anymore on 7x that I'm running): >>> >>> On server-A (CA & master 1): >>> puppetserver ca list --all >>> server-A (alt names: DNS:puppet, DNS:server-A) >>> server-B (alt names: DNS:server-B) >>> server-C (alt names: DNS:server-C) >>> >>> puppet ssl show >>> ``` >>> ... >>> Issuer: CN=Puppet CA: server-A >>> ... >>> Subject: CN=server-A >>> ... >>> ``` >>> >>> On server-B (master 2): >>> puppetserver ca list --all >>> ``` >>> Error: Failed connecting to >>> https://server-A:8140/puppet-ca/v1/certificate_statuses/any_key >>> Root cause: SSL_connect returned=1 errno=0 state=error: certificate >>> verify failed (unable to get certificate CRL) >>> ``` >>> >>> puppet ssl show >>> ``` >>> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is >>> missing >>> ``` >>> >>> I also note that today, puppet agent -t, is now also failing with: >>> ``` >>> Error: The CRL issued by 'CN=Puppet CA: server-A' is missing >>> Error: Could not run: The CRL issued by 'CN=Puppet CA: server-A' is >>> missing >>> ``` >>> >>> On server-C (agent): >>> puppet ssl show: >>> ``` >>> ... >>> Issuer: CN=Puppet CA:server-A >>> ... >>> Subject: CN=server-B >>> ... >>> ``` >>> >>> Hope this helps my case! >>> On Friday, 7 May 2021 at 8:42:46 am UTC+10 [email protected] wrote: >>> >>>> This, if I remember correctly, looks like a certificate chain issue. >>>> Your Puppet Architecture is a "Master of Masters" architecture. >>>> >>>> Cert for Server B is signed by Cert for Server A? Correct? >>>> Is the cert for Server C (the agent) signed by the CA certificate chain? >>>> >>>> Try executing: *puppet cert list* and confirm that all certificates >>>> for all three servers are listed. >>>> >>>> -------------------------- >>>> Warron French >>>> >>>> >>>> >>>> On Thu, May 6, 2021 at 5:52 PM Aaron Nicoli <[email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I have the following puppet layout: >>>>> ``` >>>>> Server A - Puppetserver (CA) >>>>> Server B - Puppetserver >>>>> Server C - Agent >>>>> ``` >>>>> >>>>> With the agent (server C) having it's cert signed by the CA (server A) >>>>> however pointed to (server B) as it's master. >>>>> >>>>> The issue I'm having is that when running `puppet agent -t` on the >>>>> agent, I can create a request to the CA and have the CA sign it, but then >>>>> when I go to run again: >>>>> >>>>> ``` >>>>> Error: Connection to >>>>> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed, >>>>> trying next route: Request to >>>>> https://hostname-of-server-B-puppetserver:8140/puppet/v3 failed after >>>>> 0.094 seconds: SSL_connect returned=1 errno=0 state=error: sslv3 alert >>>>> certificate unknown >>>>> ``` >>>>> >>>>> Now on the agent, I can see that the Server-B cert is signed by the CA >>>>> Server-A and it's available on the agent (server C) under: >>>>> `/etc/puppetlabs/puppet/ssl/certs/ca.pem` >>>>> >>>>> But yet - I still get the error... where is the puppet agent trying to >>>>> find the `ca.pem` cert to verify the masters certificate?!? >>>>> >>>>> Any ideas? >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Puppet Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/puppet-users/58b21386-50b8-42b2-b903-8db68933e491n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/803a0f0a-01c9-4001-9bb6-c8d8a26c783an%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/puppet-users/803a0f0a-01c9-4001-9bb6-c8d8a26c783an%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0f66a502-0b46-4286-bf40-c2827fda72efn%40googlegroups.com.
