Hi,
I migrated my old installation from a CentOS 6 machine to CentOS 7.
Everything went quite fine and all clients connected to the new machine
again. So far so good.
Finally i wanted to use our DigiCert certificate to be used for Formans
frontend, as we did on the old one. But somehow i can't get it to work. As
soon i replace the cert, the Puppet clients start to fail:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Failed when
searching for node foo.bar.com: Failed to find foo.bar.com via exec:
> Execution of '/etc/puppet/node.rb foo.bar.com' returned 1:
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
A "sudo -u puppet /etc/puppet/node.rb foo.bar.com" on the server returns:
> Could not send facts to Foreman: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed
If i check the certs i use with the "katello-certs-check" everything looks
fine:
> Check private key matches the certificate: [OK]
> Check ca bundle verifies the cert file: [OK]
The following values in the answers file were changed:
> server_ssl_chain: /etc/pki/tls/certs/DigiCertCA_FullChain.crt
> server_ssl_cert: /etc/pki/tls/certs/certificate.crt
> server_ssl_key: /etc/pki/tls/private/private.key
> puppet_ssl_ca: /etc/pki/tls/certs/DigiCertCA_FullChain.crt
Have not touched anything else in the file.
Currently i'm still on 1.12.4 because the update to 1.13.x didn't fully
works either (foreman-installer fails to execute. Different story…). So i
first would like to bring it fully back to work on 1.12.4.
After more than a day not getting one step further i'm a bit out of ideas.
What else could i try? Have i missed something?
I haven't found any good way to debug this in more detail to find the root
cause.
Thanks a lot,
Urs
Yeah, great, stupid me… m(
I was pretty sure i tried that before, but obviously i didn't.
Had to add the DigiCert_FullChain.pem to /var/lib/puppet/ssl/ca/ca_crt.pem.
Without it, it of course could never verify the certificate. Interesting
that it worked fine on the old server (copied all the certs and configs).
Urs
···
On Thursday, December 15, 2016 at 4:38:16 PM UTC+1, Urs Weiss wrote:
>
> Hi,
>
> I migrated my old installation from a CentOS 6 machine to CentOS 7.
> Everything went quite fine and all clients connected to the new machine
> again. So far so good.
>
> Finally i wanted to use our DigiCert certificate to be used for Formans
> frontend, as we did on the old one. But somehow i can't get it to work. As
> soon i replace the cert, the Puppet clients start to fail:
>
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
>> Failed when
>
> searching for node foo.bar.com: Failed to find foo.bar.com via exec:
>> Execution of '/etc/puppet/node.rb foo.bar.com' returned 1:
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>
>
> A "sudo -u puppet /etc/puppet/node.rb foo.bar.com" on the server returns:
>
>> Could not send facts to Foreman: SSL_connect returned=1 errno=0
>> state=SSLv3 read server certificate B: certificate verify failed
>
>
> If i check the certs i use with the "katello-certs-check" everything looks
> fine:
>
>> Check private key matches the certificate: [OK]
>> Check ca bundle verifies the cert file: [OK]
>
>
>
> The following values in the answers file were changed:
>
>> server_ssl_chain: /etc/pki/tls/certs/DigiCertCA_FullChain.crt
>> server_ssl_cert: /etc/pki/tls/certs/certificate.crt
>> server_ssl_key: /etc/pki/tls/private/private.key
>> puppet_ssl_ca: /etc/pki/tls/certs/DigiCertCA_FullChain.crt
>
>
> Have not touched anything else in the file.
>
> Currently i'm still on 1.12.4 because the update to 1.13.x didn't fully
> works either (foreman-installer fails to execute. Different story...). So i
> first would like to bring it fully back to work on 1.12.4.
>
> After more than a day not getting one step further i'm a bit out of ideas.
> What else could i try? Have i missed something?
> I haven't found any good way to debug this in more detail to find the root
> cause.
>
>
> Thanks a lot,
> Urs
>
