Greetings - I've applied an inCommon cert for the Foreman web interface,
but puppet agent won't work. I'm stuck at this error:
[root@foreman ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 400 on SERVER: Failed to find foreman.example.com via exec:
Execution of '/etc/puppet/node.rb foreman.example.com' returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node foreman.example.com: Failed to
find foreman.example.com via exec: Execution of
'/etc/puppet/node.rb foreman.example.com' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
I've found various threads on the subject …
https://groups.google.com/forum/#!topic/foreman-users/ien1_UV5oho
https://groups.google.com/forum/#!topic/foreman-users/MMug-F4hNHg
… but nothing I've tried has solved the problem. An 'openssl' test
reports an error, "self signed certificate in certificate chain":
[root@foreman ~]# openssl s_client -connect foreman.example.com:8140
CONNECTED(00000003)
depth=1 CN = Puppet CA: foreman.example.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
···
---
Certificate chain
0 s:/CN= foreman.example.com
i:/CN=Puppet CA: foreman.example.com
1 s:/CN=Puppet CA: foreman.example.com
i:/CN=Puppet CA: foreman.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
< snipped contents >
-----END CERTIFICATE-----
subject=/CN= foreman.example.com
issuer=/CN=Puppet CA: foreman.example.com
---
Acceptable client certificate CA names
/C=CN/O=CNNIC/CN=CNNIC ROOT
/CN=Puppet CA: foreman.example.com
< snipped remaining names >
Start Time: 1435858059
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
read:errno=0
Can anyone tell me what I might be missing?
thanks,
-r
The self-signed cert error was a red herring, evidently. On my RHEL 7.1
system it was easily resolved by copying the Puppet CA cert to the ca-trust
directory …
[root@foreman ~]# cp -p /var/lib/puppet/ssl/certs/ca.pem
/etc/pki/ca-trust/source/anchors/puppet-ca.pem
… then regenerating the ca bundle:
[root@foreman ~]# update-ca-trust
So I'm back at the puppet error I described previously, without any obvious
ideas. Can anyone offer some troubleshooting tips? If I run 'node.rb'
directly, I get:
[root@foreman ~]# /etc/puppet/node.rb foreman.example.com
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed
···
On Thursday, July 2, 2015 at 11:23:12 PM UTC-7, Robert Moulton wrote:
>
> Greetings - I've applied an inCommon cert for the Foreman web interface,
> but puppet agent won't work. I'm stuck at this error:
>
> [root@foreman ~]# puppet agent -t
> Warning: Unable to fetch my node definition, but the agent run will
> continue:
> Warning: Error 400 on SERVER: Failed to find foreman.example.com via
> exec: Execution of '/etc/puppet/node.rb foreman.example.com' returned 1:
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Failed when searching for node foreman.example.com: Failed to find
> foreman.example.com via exec: Execution of '/etc/puppet/node.rb
> foreman.example.com' returned 1:
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
>
> I've found various threads on the subject ...
>
> https://groups.google.com/forum/#!topic/foreman-users/ien1_UV5oho
> https://groups.google.com/forum/#!topic/foreman-users/MMug-F4hNHg
>
> ... but nothing I've tried has solved the problem. An 'openssl' test
> reports an error, "self signed certificate in certificate chain":
>
> [root@foreman ~]# openssl s_client -connect foreman.example.com:8140
> CONNECTED(00000003)
> depth=1 CN = Puppet CA: foreman.example.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/CN= foreman.example.com
> i:/CN=Puppet CA: foreman.example.com
> 1 s:/CN=Puppet CA: foreman.example.com
> i:/CN=Puppet CA: foreman.example.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> < snipped contents >
> -----END CERTIFICATE-----
> subject=/CN= foreman.example.com
> issuer=/CN=Puppet CA: foreman.example.com
> ---
> Acceptable client certificate CA names
> /C=CN/O=CNNIC/CN=CNNIC ROOT
> /CN=Puppet CA: foreman.example.com
> < snipped remaining names >
>
> Start Time: 1435858059
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
> ---
> read:errno=0
>
> Can anyone tell me what I might be missing?
>
> thanks,
> -r
>