Mixed SSL cert problem

Greetings - I've applied an inCommon cert for the Foreman web interface,
but puppet agent won't work. I'm stuck at this error:

[root@foreman ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 400 on SERVER: Failed to find foreman.example.com via exec:
Execution of '/etc/puppet/node.rb foreman.example.com' returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node foreman.example.com: Failed to
find foreman.example.com via exec: Execution of
'/etc/puppet/node.rb foreman.example.com' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

I've found various threads on the subject …

https://groups.google.com/forum/#!topic/foreman-users/ien1_UV5oho
https://groups.google.com/forum/#!topic/foreman-users/MMug-F4hNHg

… but nothing I've tried has solved the problem. An 'openssl' test
reports an error, "self signed certificate in certificate chain":

[root@foreman ~]# openssl s_client -connect foreman.example.com:8140
CONNECTED(00000003)
depth=1 CN = Puppet CA: foreman.example.com
verify error:num=19:self signed certificate in certificate chain
verify return:0

··· --- Certificate chain 0 s:/CN= foreman.example.com i:/CN=Puppet CA: foreman.example.com 1 s:/CN=Puppet CA: foreman.example.com i:/CN=Puppet CA: foreman.example.com --- Server certificate -----BEGIN CERTIFICATE----- < snipped contents > -----END CERTIFICATE----- subject=/CN= foreman.example.com issuer=/CN=Puppet CA: foreman.example.com --- Acceptable client certificate CA names /C=CN/O=CNNIC/CN=CNNIC ROOT /CN=Puppet CA: foreman.example.com < snipped remaining names >
Start Time: 1435858059
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

read:errno=0

Can anyone tell me what I might be missing?

thanks,
-r

The self-signed cert error was a red herring, evidently. On my RHEL 7.1
system it was easily resolved by copying the Puppet CA cert to the ca-trust
directory …

[root@foreman ~]# cp -p /var/lib/puppet/ssl/certs/ca.pem
/etc/pki/ca-trust/source/anchors/puppet-ca.pem

… then regenerating the ca bundle:

[root@foreman ~]# update-ca-trust

So I'm back at the puppet error I described previously, without any obvious
ideas. Can anyone offer some troubleshooting tips? If I run 'node.rb'
directly, I get:

[root@foreman ~]# /etc/puppet/node.rb foreman.example.com
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed

··· On Thursday, July 2, 2015 at 11:23:12 PM UTC-7, Robert Moulton wrote: > > Greetings - I've applied an inCommon cert for the Foreman web interface, > but puppet agent won't work. I'm stuck at this error: > > [root@foreman ~]# puppet agent -t > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: Error 400 on SERVER: Failed to find foreman.example.com via > exec: Execution of '/etc/puppet/node.rb foreman.example.com' returned 1: > Info: Retrieving pluginfacts > Info: Retrieving plugin > Error: Could not retrieve catalog from remote server: Error 400 on SERVER: > Failed when searching for node foreman.example.com: Failed to find > foreman.example.com via exec: Execution of '/etc/puppet/node.rb > foreman.example.com' returned 1: > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > > I've found various threads on the subject ... > > https://groups.google.com/forum/#!topic/foreman-users/ien1_UV5oho > https://groups.google.com/forum/#!topic/foreman-users/MMug-F4hNHg > > ... but nothing I've tried has solved the problem. An 'openssl' test > reports an error, "self signed certificate in certificate chain": > > [root@foreman ~]# openssl s_client -connect foreman.example.com:8140 > CONNECTED(00000003) > depth=1 CN = Puppet CA: foreman.example.com > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/CN= foreman.example.com > i:/CN=Puppet CA: foreman.example.com > 1 s:/CN=Puppet CA: foreman.example.com > i:/CN=Puppet CA: foreman.example.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > < snipped contents > > -----END CERTIFICATE----- > subject=/CN= foreman.example.com > issuer=/CN=Puppet CA: foreman.example.com > --- > Acceptable client certificate CA names > /C=CN/O=CNNIC/CN=CNNIC ROOT > /CN=Puppet CA: foreman.example.com > < snipped remaining names > > > Start Time: 1435858059 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > read:errno=0 > > Can anyone tell me what I might be missing? > > thanks, > -r >