Puppet ssl errors " SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed"

Question

I am trying to setup puppet master and puppetdb on same node using puppetdb module.

When I try to run puppet agent -t, I see following erorr

notice: Unable to connect to puppetdb server (ip-10-172-161-25.us-west-1.compute.internal:8081): SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
notice: Failed to connect to puppetdb; sleeping 2 seconds before retry


[root@ip-10-172-161-25 modules]# puppet cert --list --all
+ "ip-10-172-161-25.us-west-1.compute.internal" (66:37:02:AB:98:C5:CD:28:1C:D3:68:53:13:CC:A1:E5)
+ "ip-10-196-99-56.us-west-1.compute.internal"  (99:C9:7C:A1:1A:FD:3C:27:85:76:C7:5A:6A:D5:F9:79)
+ "puppettest.eng.com"                         (17:4A:B9:D1:48:F2:82:73:7D:7F:1D:55:E4:A1:A6:A0) (alt names: "DNS:ip-10-172-161-25.us-west-1.compute.internal", "DNS:puppet", "DNS:puppettest.eng.com")


[root@ip-10-172-161-25 modules]# cat /etc/puppet/puppet.conf
[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
    server = puppettest.eng.com

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

[master]

    certname=puppettest.eng.com
    dns_alt_names = ip-10-172-161-25.us-west-1.compute.internal,puppettest.eng.com,puppet

Puppetdb.conf

[root@ip-10-172-161-25 modules]# cat /etc/puppet/puppetdb.conf
[main]
server = ip-10-172-161-25.us-west-1.compute.internal
#server = puppettest.eng.com
port = 8081

jetty.in

[jetty]
# Hostname or IP address to listen for clear-text HTTP.  Default is localhost
# host = <host>
#host = localhost
host = localhost

# Port to listen on for clear-text HTTP.
port = 8080


# The following are SSL specific settings. They can be configured
# automatically with the tool puppetdb-ssl-setup, which is normally
# ran during package installation.

# The host or IP address to listen on for HTTPS connections
#ssl-host = ip-10-172-161-25.us-west-1.compute.internal
ssl-host = ip-10-172-161-25.us-west-1.compute.internal

# The port to listen on for HTTPS connections
ssl-port = 8081

# Private key path
ssl-key = /etc/puppetdb/ssl/private.pem

# Public certificate path
ssl-cert = /etc/puppetdb/ssl/public.pem

# Certificate authority path
ssl-ca-cert = /etc/puppetdb/ssl/ca.pem

certificate-whitelist = /etc/puppetdb/whitelist.txt

whitelist.txt

[root@ip-10-172-161-25 modules]# cat /etc/puppetdb/whitelist.txt
ip-10-172-161-25.us-west-1.compute.internal
puppettest.eng.com
localhost


[root@ip-10-172-161-25 modules]# rpm -qa | grep -i puppet

puppet-server-2.7.22-1.0.amzn1.x86_64
puppetlabs-release-5-7.noarch
puppetdb-terminus-1.4.0-1.el5.noarch
puppet-2.7.22-1.0.amzn1.x86_64
puppetdb-1.4.0-1.el5.noarch
[root@ip-10-172-161-25 modules]# rpm -qa | grep -i ruby
ruby-libs-1.8.7.374-1.0.amzn1.x86_64
ruby-1.8.7.374-1.0.amzn1.x86_64
ruby-augeas-0.4.1-1.3.amzn1.x86_64
[root@ip-10-172-161-25 modules]#

I tired multiple times revoke master cert and created new, no luck

Answer 1

Tried puppetdb-ssl-setup -f that took care of the cert missmatch.

more details in https://groups.google.com/forum/#!topic/puppet-users/VqpGAxw7-Fo

Thanks Ken for helping